I have a web app I'm porting from Slim v3 to Fat Free Framework. The logic part has been straight-forward. My problem has been converting some Twig view templates to F3 templates; specifically I'm having difficulty building concatenated strings to populate Materialize class fields.
For instance, suppose my Contact Form validation passes back a message_err that states, "The name field must be at least 3 characters."
The Slim app, utilizing Twig's template engine, would check to see if data.name_err was empty, if not it would create a new messageName by concatenating 'data-err="' with data.name_err and this would then be used to display an error state in a Materialize form. Here's a code snippet:
<div class="input-field">
<label for="name">Name:</label>
{% if data.name_err %}
{% set messageName = 'data-error="'~data.name_err~'"' %}
{% endif %}
some more code here...
</div>
I've tried to do something similar using F3's built in template engine, but it throws errors with everything I've tried. Here were a few attempts:
<set msg="data-error=" {{ #data.name_err }} "></set>
and:
<set msg="{{ data-error=" #data.name_err "}}"></set>
As there seems to be no way to escape characters in strings, that's why I was trying to use ASCII codes for the quotes. I tried it with the equals sign too, but got errors nonetheless.
If anybody has any thoughts I'd be most appreciative. Otherwise I'll have to dig into changing some core logic.
please try
<set msg="{{ 'data-error="'.#data.name_err.'"'}}"></set>
In F3, you can use {~ <code> ~} to execute php expressions without echoing the result.
{~ #msg = "data-error=\"#data.name_err\"" ~}
Related
Code
We have the following Twig HTML template:
<div id="error">{{ flash.error | raw }}</div>
and we flash messages in multiple places, e.g.:
$app->flash('error', "Some error with this $user_supplied string.");
$app->flash('error', "Hello, <b>World</b>!");
Question
This is obviously a security concern, $user_supplied could include javascript. I would like to replace {{ flash.error | raw }} with {{ flash.error }}, while still allowing HTML in some cases.
What I would like to have:
<div id="error">{{ flash.error }}</div>
----
$app->flash('error', "Some error with this $user_supplied string.");
$app->flash('error', HTML("Hello, <b>World</b>!"));
That way all developers realize the dangers. I can probably hack this together, but is there maybe already a built-in way or a better alternative?
Hm, Perhaps you can check the contents of the variable in the PHP code before you pass it to the template. Then use some of PHP's built in string parsing functions to check the variable for the existence of certain tags.
If (for example) script tags are found, you could set the variable to null or false and then handle that value in your template.
Another way I can think of is to use the striptags filter. You define your allowed tags and what isn't defined will be removed. This way you can output what you want and only keep your allowed tags.
https://twig.symfony.com/doc/2.x/filters/striptags.html
{% set some_var = '<b><script>console.log(123)</script></b>' %}
<div id="error">{{ some_var|striptags('<b><strong>')|raw }}</div>
You can use escape twig variable for specific needs.
{{ flash.error|escape('js') }}
The escape filter supports the following escaping strategies:
html, js, css, url, html_attr
You can do this in your twig configuration, without knowing much about your project I am going to assume you are using Twig View. At the point of configuring Twig View for your Slim project you can do the following:
$view = new \Slim\Views\Twig('path/to/templates', [
'cache' => 'path/to/cache',
'autoescape' => 'js'
]);
That should have it configured globally for JS only escaping. I have not tested this so I am not sure if it works.
I dont have knowledge in laravel Blade and I have this code :
<span v-bind:class="{ 'total': (listing.price_per_week), 'total total-center': (!listing.price_per_week)}">#{{ listing.price_view }}*</span>
I want to pass that price value to this function
<?php echo removeFrom( #{{ listing.price_view }} ); ?>
but it doesnt work this way
how can pass this
Thanks
Please check this out: Blade & JavaScript Frameworks
Since many JavaScript frameworks also use "curly" braces to indicate a
given expression should be displayed in the browser, you may use the #
symbol to inform the Blade rendering engine an expression should
remain untouched. For example:
<h1>Laravel</h1>
Hello, #{{ name }}.
In this example, the # symbol will be removed by Blade; however, {{
name }} expression will remain untouched by the Blade engine, allowing
it to instead be rendered by your JavaScript framework.
I am using a PHP product called Mautic which leverages the TWIG template language.
They have some tokens that are accessed similar to
{subject}
and
{contactfield=company}
I want to be able to use the | raw function but when I try
{contactfield=company | raw}
it breaks on me.
If I set a variable then I can use the double curly braces and the functions like raw.
So I am thinking that I need to set a variable to the contactfield=company and then I can access it via the double curly braces. This is how I tried to do it but no luck.
{% set myvar = contactfield=company %}
I tried to use the dump() to guess at what the variable name might be in the context but it appears that command is disabled.
I'm not sure what the syntax should be.
UPDATE
I ran the following code
<ol>
{% for key, value in _context %}
<li>{{ key }}</li>
{% endfor %}
</ol>
and got this result
isNew
slots
content
email
template
basePath
app
cfos
_parent
I suspect that the {contactfield=company} is probably some shorthand for an attribute on one of these variables but not sure how I can dig into the top level context variables to see what other data may be lurking underneath.
I tried using {{dump()}} in the template but that seems to be disabled.
If I knew how to inspect these top level variables I might be able to figure out where this information lives. Unfortunately I don't have access to the PHP environment so I have to discover the information through trial and error.
I am trying to override block theme and rebuild it with html and twig.
I cant seem to find the variables from the block type or content type and cant find the image url for example.
how can i reach it using kint?
The easiest way to dump everything is with
{{ dump() }}
inside your twig template.
I work on fairly large Drupal sites, and I use this to not exhaust the memory from looping through vars.
<ol>
{% for key, value in _context %}
<li>{{ key }}</li>
{% endfor %}
</ol>
This will dump everything into a nice ordered list.
Hope this helps!
Also I'm not sure if you're already doing this, but if not -- turn on the twig debug tool, then check out your inspector of choice, and it'll give you suggestions and override data.
You can do this inside your sites/default/services.yml with
twig.config:
debug: true
If you have kint (of Devel module) installed, just use:
{{ kint(_context) }}
Its better than {{ dump() }}, cause kint can manage when the recursion is too long, avoiding memory issues. Second, have a nice way to display the information.
I'm developing a simple page with Symfony2, using Twig as template engine.
I have a list of urls, and I'd like to add the Twitter share button for each url. What I do is a simple cycle on the urls array, and the dinaycally set the url for every Twitter button inside the cycle. It looks like that twig encodes the url at first, and the Twitter script encodes it again. So The Twitter share count doesn't match. The code (inside the cycle) is the following, there is another part of Twitter code at the end of the page:
Tweet
The url I get on the rendered page is: http%253A%252F%252Fwww.example.com%252F (two encoding pass)
instead of http%3A%2F%2Fwww.example.com%2F (one encoding pass, correct). It looks like the % is encoded again to %25.
And this doesn't make Twitter count work, because it consider those two as different urls.
I also tried to use some filters, e.g. {{ s.url|raw }}, but it didn't work.
So my question is: how to avoid this? Is there a way to tell twig (or twitter) to not encode the url?
You can always turn autoescaping off in Twig by using the {% autoescape false %} declaration before the code you want to leave raw. This will leave any strings you output unescaped, and thus your URL will not be escaped twice. Make sure you turn autoescaping back on with {% endautoescape %}
{% autoescape false %}
Tweet
{% endautoescape %}
Full Twig HTML Escaping Documentation
An old post but looks like you can use the "raw" filter now. This should do:
{{ s.url|raw }}
http://twig.sensiolabs.org/doc/api.html#escaper-extension