Please test Latte 3.0.5 – possible BC break

David Grudl
Nette Core | 8227
+
+4
-

Please test Latte 3.0.5 RC

composer require latte/latte:^3.0.5-RC1

In addition to fixing a number of bugs, the new version includes one intentional BC break – it will warn you if your custom tag (Node class) does not contain the getIterator() method. This can introduce a serious security risk. Explanation here.

Another change is that HTML is not escaped inside the <script type=unknown>...</script> element (this only happens with type=text/html). By unknown I mean a type that Latte does not support, i.e. it is not JavaScript, JSON, text/html, or text/plain. If you use a special type and expect HTML escaping, please write comment here.

If you are using Latte standalone, a new feature is TracyExtension. For usage, see the documentation. It replaces the BlueScreenPanel and LattePanel classes.

Finally, I added an experimental feature where |noescape does not turn off escaping completely in certain situations, but only partially. Example:

<p title="{$title|noescape}"> ... </p>
<script> {$js|noescape} </script>

In the first case the " character will still be escaped, in the second the </script> sequence will be escaped. That is, to make it impossible to escape out of the context of attribute or element <script>. The programmer may use |noescape in these places, for example because $title contains HTML entities, $js contains JavaScript, but he doesn't realise that this may break the page. So |noescape should be safer.