Jump to content

Preventing Twig from escaping JSON


Go to solution Solved by NotionCommotion,

Recommended Posts

types is an array or object.  How do I prevent it from being escaped?  Thanks

{% set _jsScript = [
'var types=$.parseJSON('~types|json_encode()|raw~');'
] %}

{% macro listArray(list) %}
{% for item in list %}
{{ item }}
{% endfor %}
{% endmacro %}

{% if _jsScript|default %}
<script type="text/javascript">
    {{ forms.listArray(_jsScript) }}
</script>
{% endif %}
Link to comment
https://forums.phpfreaks.com/topic/301911-preventing-twig-from-escaping-json/
Share on other sites

  • Solution

Ah, I see.

{% set _jsScript = [
'var types='~types|json_encode()~';'
] %}

{% macro listArray(list) %}
{% for item in list %}
{{ item|raw }}
{% endfor %}
{% endmacro %}

{% if _jsScript|default %}
<script type="text/javascript">
    {{ forms.listArray(_jsScript) }}
</script>
{% endif %}

json_encode() is not secure within JavaScript code. And I might add: It's also very poor spaghetti code.

 

If you want to read data from the server, use Ajax or put the JSON-encoded data into a hidden HTML element. Do not generate dynamic JavaScript code.

I generally try and stick the data attribute with the json onto whatever element the script will be affecting. If you need to just pass some data to the script itself (say configuration info or whatever), you can stick the data attribute onto the script tag.

 

For example:

<script data-types="{{ types|json_encode() }}">
(function(){
    var types = $('script').last().data('types');
    console.log(types);
}());
</script>

You need to get rid of your inline scripts.

 

Not only is it, again, spaghetti code. It's also a major security issue, because the browser cannot easily distinguish between legitimate inline code and cross-site scripting attacks. When all scripts reside on external domains (or at least external files), you can block inline scripting entirely and whitelist the external scripts. But when your HTML markup is cluttered with inline scripts, your only chance is to go through each one of them and either whitelist its hash or implement secure nonces. Both is a lot more difficult.

 

So while you remove the HTML markup from your PHP scripts (which is great), you should also remove the inline styles and scripts from the HTML markup.

Edited by Jacques1
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.