Please test Latte 3.0.5 – possible BC break
- David Grudl
- Nette Core | 8227
Please test Latte 3.0.5 RC
composer require latte/latte:^3.0.5-RC1
In addition to fixing a number of bugs, the new version includes one
intentional BC break – it will warn you if your custom tag (Node class) does
not contain the getIterator()
method. This can introduce a serious
security risk. Explanation
here.
Another change is that HTML is not escaped inside the
<script type=unknown>...</script>
element (this only
happens with type=text/html
). By unknown
I mean a
type that Latte does not support, i.e. it is not JavaScript, JSON,
text/html
, or text/plain
. If you use a special type
and expect HTML escaping, please write comment here.
If you are using Latte standalone, a new feature is
TracyExtension
. For usage, see the documentation.
It replaces the BlueScreenPanel
and LattePanel
classes.
Finally, I added an experimental feature where |noescape
does
not turn off escaping completely in certain situations, but only partially.
Example:
<p title="{$title|noescape}"> ... </p>
<script> {$js|noescape} </script>
In the first case the "
character will still be escaped, in the
second the </script>
sequence will be escaped. That is, to
make it impossible to escape out of the context of attribute or element
<script>
. The programmer may use |noescape
in
these places, for example because $title
contains HTML entities,
$js
contains JavaScript, but he doesn't realise that this may break
the page. So |noescape
should be safer.