Development

#1638 (Applied OutputEscapers should be removed when including a component from a view)

You must first sign up to be able to contribute.

Ticket #1638 (assigned defect)

Opened 1 year ago

Last modified 5 days ago

Applied OutputEscapers should be removed when including a component from a view

Reported by: Jan.Kunzmann Assigned to: Carl.Vondrick (accepted)
Priority: major Milestone: 1.2.0
Component: controller Version: 1.0.0
Keywords: component sfOutputEscaper Cc:
Qualification: Design decision

Description

When you're using "escaping_strategy: both" and call a component from a view with the include_component helper function, the automagically applied OutputEscapers? are not removed from the given variables array. Thus, the logic of a components believes to deal with an object of a certain type but in reality it's dealing with the sfOutputEscaper wrapper. This could lead to undesired behaviour (eg. double escaping).

Somewhere between the include_component helper function and the execute method of the component, the $vars array should be treated with getRawValue() calls where appropriate.

Change History

05/28/08 10:53:26 changed by gilles.doge

  • qualification set to Unreviewed.

A part of this problem is already exposed in ticket #509 (double escaping).

07/14/08 00:21:51 changed by Carl.Vondrick

  • owner changed from fabien to Carl.Vondrick.
  • status changed from new to assigned.
  • milestone set to 1.2.0.

07/15/08 00:21:51 changed by Carl.Vondrick

  • qualification changed from Unreviewed to Design decision.

I could have sworn that the output escaping strategy could be set on the module level, not just application level. But, as this is not the case, I do not think that we should remove output escaping when including in a partial, but rather just prevent against double escaping.

09/01/08 01:25:47 changed by Jan.Kunzmann

It's not about partials. It's the component code expecting a variable to be of a certain type, e.g. a string, and not sfOutputEscaper.

I'll try to do an example:

Let's assume there's a class "Foo". Furthermore, let's assume there's a method or function somewhere else in the code which takes a parameter of class Foo like this: 

function doSomethingWithFoo(Foo $foo) {...

Let's start. My action does 

$this->bar = new Foo();

and symfony's view logic wraps an sfOutputEscaper around $bar, so in my view, I can call 

<?php echo $bar->getName() ?>

without any problems. That's cool stuff! I don't have to care about quoting, things just behave well and coder friendly. Let's call a component from the view: 

<?php include_component('mymodule', 'mycomponent', 'bar' => $bar) ?>

In the component's execute method looks like this: 

public function execute() {
  doSomethingWithFoo($this->bar);
}

This call will fail as $this->bar is not of type Foo as expected, but of sfOutputEscaperObjectDecorator. Thus, I suddenly have to care about the escapers and call my component 

<?php include_component('mymodule', 'mycomponent', 'bar' => $bar->getRawValue()) ?>

which is not what I'd expect from an automagic feature.