Development

#2809 (sfForm needs to be exempt from output escaping)

You must first sign up to be able to contribute.

Ticket #2809 (closed defect: fixed)

Opened 8 months ago

Last modified 8 months ago

sfForm needs to be exempt from output escaping

Reported by: Carl.Vondrick Assigned to: fabien
Priority: major Milestone:
Component: form Version: 1.1.0 DEV
Keywords: output escaping form Cc:
Qualification: Ready for core team

Description (Last modified by fabien)

Problem

Much of the elegance of sfForm is skewed when using it with output escapers. Most notably:

  1. When echoing out a form, the form HTML is escaped.
  1. sfOutputEscaperObjectDecorator does not implement the ArrayAccess? interface, so we cannot do: 
      echo $form['username'];
    we instead must do: 
    echo $form->offsetGet('username');

There are three possible options (from Fabien):

Solution 1

The easiest way to do this is to wrap safe variables within a special object when passing a variable to the template: 

$this->form = new sfOutputEscaperSafeVariable(new SomeForm()); // we need to come up with a better name

We can also create a shortcut function: 

$this->form = mark_safe(new SomeForm()); // or markSafe()

Then the escaper just unwrap such objects and does not escape them.

Solution 2

The other possibility is to have a new method in the escaper classes to add safe variables. So, in an action, you can do: 

$this->a = 1; // which is equivalent to $this->setVar('a', 1);

or if you want to add a safe variable: 

$this->setSafeVar('form', new sfForm());

This is perhaps faster than solution 1 but you can't use the $this-> convention for safe variables.

Solution 3

A third possibility is to have a special convention for classes that don't need to be escape: 

class SomeClass
{
   const SF_IS_SAFE = true; // again, we need a better name

   // or

   public function isHtmlSafe()
   {
     return true;
   }
}

But this does not work if you use third party classes.

Attachments

patch (9.8 kB) - added by fabien on 01/20/08 11:09:46.

Change History

01/20/08 11:09:46 changed by fabien

  • attachment patch added.

01/20/08 11:10:26 changed by fabien

  • owner set to fabien.
  • status changed from new to assigned.
  • description changed.

I've attached a patch for review. Before I commit it to the 1.1 branch, I need your advice on names:

  • The class name that marks a value as safe for output: 
      sfOutputEscaperSafe
  • The method name to mark a class/an array of classes (and its children) as safe for output: 
      sfOutputEscaper::markClassAsSafe('sfForm')
      sfOutputEscaper::markClassesAsSafe(array('sfForm', 'sfWidget'))
  • The method name to add a safe var in an action: 
       $this->setSafeVar('form', $form);

       // which is the same as: $this->form = new sfOutputEscaperSafe($form);

I have added sfForm as being safe by default. This is done in the sfView class for now as I think we will have to move it to a better place after the sfConfiguration refactoring.

01/20/08 11:10:47 changed by fabien

  • qualification changed from Unreviewed to Ready for core team.

01/21/08 09:17:35 changed by fabien

  • status changed from assigned to closed.
  • resolution set to fixed.

in r7120

01/21/08 10:42:39 changed by Rihad.Haciyev

sfOutputEscaper::markClassAsSafe('sfForm') sfOutputEscaper::markClassesAsSafe(array('sfForm', 'sfWidget'))

I suggest that markClassAsSafe() take any number of args >= 1 and use func_get_args() instead. Feels more geeky.