Jump to content

Some suggestions needed


colap

Recommended Posts

To be honest, both examples are cumbersome and ugly. And that's not even usable code, because you've forgotten the HTML-escaping. The real code would look something like this:

<div><?= htmlspecialchars($some_value, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8'); ?></div>

And that's just one variable in one HTML element. When you're dealing with more complex output, you'll quickly end up with this terrible Wordpress-style spaghetti code.

 

Personally, I very much prefer using a proper template engine like Twig or Smarty:

<div>{{ some_value }}</div>

This is clearly much more readable. And since Twig automatically escapes the output, you won't run into cross-site scripting vulnerabilities all the time.

Edited by Jacques1
  • Like 1
Link to comment
Share on other sites

If you don't use a template engine you can always use a function in you configuration file that you use to make it a little less cumbersome, for example

function html_escape($raw_input) {
    // important! don't forget to specify ENT_QUOTES and the correct encoding
    return htmlspecialchars($raw_input, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
}

then call it like 

<p class="blogParagraph"><?php echo nl2br(html_escape($row->content)); ?></p>

I believe I got this small script from a tutorial I got from a different forum written by Jacques! awhile back.  :tease-03:  :happy-04:

Link to comment
Share on other sites

Personally, I very much prefer using a proper template engine like Twig or Smarty:

<div>{{ some_value }}</div>

This is clearly much more readable. And since Twig automatically escapes the output, you won't run into cross-site scripting vulnerabilities all the time.

 

Does Twig automatically escape output now? I know you can set a template to auto-escape blocks of output, but you have to specifically set it to do so. Otherwise you escape on the value, such as

<div>{{ some_value|e }}</div>
<div>{{ some_value|escape('html') }}</div>

unless that changed...

 

Either way, Twig is fantastic and very much recommended.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.