Is it possible to get rid of |noescape ?

bernhard
Member | 31
+
0
-

Hey everybody! I've created a module that adds latte support to the ProcessWire CMS (https://www.youtube.com/watch?…)

The module supports adding ALFRED (a lovely frontend editor) to the markup of the page by simply calling the alfred function:

<div {alfred($page, "field1, field2")|noescape}><h1>{$page->field1}</h1><p>{$page->field2}</p></div>

No I wonder if it would somehow be possible to get rid of the |noescape filter when injecting markup via the alfred() function? The return of alfred is something like this:

<div alfred="{some json here}">

So I thought there could maybe be a way to instead of returning alfred=… my function could return somemthing like {noescape}alfred=…{/noescape} which would simplify alfred calls in my template files to this:

<div {alfred($page, "field1, field2")}><h1>{$page->field1}</h1><p>{$page->field2}</p></div>

I guess this is not possible for security reasons? But I wanted to ask nonetheless. The markup of alfred does always come from a trusted source at least. Maybe one of the gurus has an idea or maybe I'm missing something and it's already possible?

Marek Bartoš
Nette Blogger | 747
+
+2
-

Instance of Latte\Runtime\Html is not escaped

Last edited by Marek Bartoš (2022-08-07 12:11)

bernhard
Member | 31
+
0
-

Hi guys, thank you for your help! Unfortunately I can't get it working:

This is what I get when using |noescape (that works):

https://i.imgur.com/zxw9M0n.png

This is what I get when using an Latte\Html object:

https://i.imgur.com/MV246GY.png
https://i.imgur.com/wd0jbeO.png

Where it looks like it should be an HTML object?!

https://i.imgur.com/K7LA4US.png

PS: Congrats to your 7777 post :)

Last edited by bernhard (2022-08-08 10:04)

David Grudl
Nette Core | 7790
+
+1
-

Isn't it possible that the object is converted to a string somewhere? For example, doesn't the method have the return type string?

bernhard
Member | 31
+
0
-

Good idea, but unfortunately no :(

https://i.imgur.com/mQnY9pk.png

It returns the HTML object after rendering the latte file it will show up as escaped string…

bernhard
Member | 31
+
0
-

I've just tried to see what {dump alfred($page)} returns:

https://i.imgur.com/Q8vXZXe.png

David Grudl
Nette Core | 7790
+
0
-

I understand now, because Latte\Runtime\Html doesn't work inside the HTML tag (because HTML code can't be written there). At the moment the only solution is the filter |noescape.

bernhard
Member | 31
+
0
-

Thx @DavidGrudl and sorry for the delay I did not get notified..

You are right, that's the reason – I just realised that myself :) Is there any other workaround you can think of? Maybe returning a Latte\HtmlStringable ? It would really improve the API and UX of my module as I'm using alfred() calls quite often in my markup…

<div {alfred($page)}> would just be a lot nicer than <div {alfred($page)|noescape}>

Thx for your thoughts!

David Grudl
Nette Core | 7790
+
0
-

Not at the moment. Could you create an issue on GitHub?

bernhard
Member | 31
+
0
-

Ok thx I'll do so!

Another related question: Is there any my alfred() function can know whether it was called from inside a HTML tag or outside?

  <div class="foo" {alfred($page)|noescape}>
    {alfred($page)}
    some markup
  </div>

So can the first alfred() call return a different output than the second call? Of course I could introduce other arguments or settings, but that would be nothing better than adding |noescape

bernhard
Member | 31
+
+1
-

For reference here is the issue: https://github.com/…e/issues/313