Is it possible to get rid of |noescape?
- bernhard
- Member | 51
Hey everybody! I've created a module that adds latte support to the ProcessWire CMS (https://www.youtube.com/watch?…)
The module supports adding ALFRED (a lovely frontend editor) to the markup of the page by simply calling the alfred function:
<div {alfred($page, "field1, field2")|noescape}><h1>{$page->field1}</h1><p>{$page->field2}</p></div>
No I wonder if it would somehow be possible to get rid of the |noescape filter when injecting markup via the alfred() function? The return of alfred is something like this:
<div alfred="{some json here}">So I thought there could maybe be a way to instead of returning alfred=… my function could return somemthing like {noescape}alfred=…{/noescape} which would simplify alfred calls in my template files to this:
<div {alfred($page, "field1, field2")}><h1>{$page->field1}</h1><p>{$page->field2}</p></div>
I guess this is not possible for security reasons? But I wanted to ask nonetheless. The markup of alfred does always come from a trusted source at least. Maybe one of the gurus has an idea or maybe I'm missing something and it's already possible?
- Marek Bartoš
- Nette Blogger | 1261
Instance of Latte\Runtime\Html is not escaped
Last edited by Marek Bartoš (2022-08-07 12:11)
- bernhard
- Member | 51
Hi guys, thank you for your help! Unfortunately I can't get it working:
This is what I get when using |noescape (that works):
https://i.imgur.com/zxw9M0n.png
This is what I get when using an Latte\Html object:
https://i.imgur.com/MV246GY.png
https://i.imgur.com/wd0jbeO.png
Where it looks like it should be an HTML object?!
https://i.imgur.com/K7LA4US.png
PS: Congrats to your 7777 post :)
Last edited by bernhard (2022-08-08 10:04)
- David Grudl
- Nette Core | 8218
Isn't it possible that the object is converted to a string somewhere? For example, doesn't the method have the return type string?
- bernhard
- Member | 51
Good idea, but unfortunately no :(
https://i.imgur.com/mQnY9pk.png
It returns the HTML object after rendering the latte file it will show up as escaped string…
- David Grudl
- Nette Core | 8218
I understand now, because Latte\Runtime\Html doesn't work inside the HTML
tag (because HTML code can't be written there). At the moment the only
solution is the filter |noescape.
- bernhard
- Member | 51
Thx @DavidGrudl and sorry for the delay I did not get notified..
You are right, that's the reason – I just realised that myself :) Is there any other workaround you can think of? Maybe returning a Latte\HtmlStringable ? It would really improve the API and UX of my module as I'm using alfred() calls quite often in my markup…
<div {alfred($page)}> would just be a lot nicer than <div {alfred($page)|noescape}>
Thx for your thoughts!
- bernhard
- Member | 51
Ok thx I'll do so!
Another related question: Is there any my alfred() function can know whether it was called from inside a HTML tag or outside?
<div class="foo" {alfred($page)|noescape}>
{alfred($page)}
some markup
</div>
So can the first alfred() call return a different output than the second call? Of course I could introduce other arguments or settings, but that would be nothing better than adding |noescape