Code
We have the following Twig HTML template:
<div id="error">{{ flash.error | raw }}</div>
and we flash messages in multiple places, e.g.:
$app->flash('error', "Some error with this $user_supplied string.");
$app->flash('error', "Hello, <b>World</b>!");
Question
This is obviously a security concern, $user_supplied could include javascript. I would like to replace {{ flash.error | raw }} with {{ flash.error }}, while still allowing HTML in some cases.
What I would like to have:
<div id="error">{{ flash.error }}</div>
----
$app->flash('error', "Some error with this $user_supplied string.");
$app->flash('error', HTML("Hello, <b>World</b>!"));
That way all developers realize the dangers. I can probably hack this together, but is there maybe already a built-in way or a better alternative?
Hm, Perhaps you can check the contents of the variable in the PHP code before you pass it to the template. Then use some of PHP's built in string parsing functions to check the variable for the existence of certain tags.
If (for example) script tags are found, you could set the variable to null or false and then handle that value in your template.
Another way I can think of is to use the striptags filter. You define your allowed tags and what isn't defined will be removed. This way you can output what you want and only keep your allowed tags.
https://twig.symfony.com/doc/2.x/filters/striptags.html
{% set some_var = '<b><script>console.log(123)</script></b>' %}
<div id="error">{{ some_var|striptags('<b><strong>')|raw }}</div>
You can use escape twig variable for specific needs.
{{ flash.error|escape('js') }}
The escape filter supports the following escaping strategies:
html, js, css, url, html_attr
You can do this in your twig configuration, without knowing much about your project I am going to assume you are using Twig View. At the point of configuring Twig View for your Slim project you can do the following:
$view = new \Slim\Views\Twig('path/to/templates', [
'cache' => 'path/to/cache',
'autoescape' => 'js'
]);
That should have it configured globally for JS only escaping. I have not tested this so I am not sure if it works.
Related
I have a web app I'm porting from Slim v3 to Fat Free Framework. The logic part has been straight-forward. My problem has been converting some Twig view templates to F3 templates; specifically I'm having difficulty building concatenated strings to populate Materialize class fields.
For instance, suppose my Contact Form validation passes back a message_err that states, "The name field must be at least 3 characters."
The Slim app, utilizing Twig's template engine, would check to see if data.name_err was empty, if not it would create a new messageName by concatenating 'data-err="' with data.name_err and this would then be used to display an error state in a Materialize form. Here's a code snippet:
<div class="input-field">
<label for="name">Name:</label>
{% if data.name_err %}
{% set messageName = 'data-error="'~data.name_err~'"' %}
{% endif %}
some more code here...
</div>
I've tried to do something similar using F3's built in template engine, but it throws errors with everything I've tried. Here were a few attempts:
<set msg="data-error=" {{ #data.name_err }} "></set>
and:
<set msg="{{ data-error=" #data.name_err "}}"></set>
As there seems to be no way to escape characters in strings, that's why I was trying to use ASCII codes for the quotes. I tried it with the equals sign too, but got errors nonetheless.
If anybody has any thoughts I'd be most appreciative. Otherwise I'll have to dig into changing some core logic.
please try
<set msg="{{ 'data-error="'.#data.name_err.'"'}}"></set>
In F3, you can use {~ <code> ~} to execute php expressions without echoing the result.
{~ #msg = "data-error=\"#data.name_err\"" ~}
I dont have knowledge in laravel Blade and I have this code :
<span v-bind:class="{ 'total': (listing.price_per_week), 'total total-center': (!listing.price_per_week)}">#{{ listing.price_view }}*</span>
I want to pass that price value to this function
<?php echo removeFrom( #{{ listing.price_view }} ); ?>
but it doesnt work this way
how can pass this
Thanks
Please check this out: Blade & JavaScript Frameworks
Since many JavaScript frameworks also use "curly" braces to indicate a
given expression should be displayed in the browser, you may use the #
symbol to inform the Blade rendering engine an expression should
remain untouched. For example:
<h1>Laravel</h1>
Hello, #{{ name }}.
In this example, the # symbol will be removed by Blade; however, {{
name }} expression will remain untouched by the Blade engine, allowing
it to instead be rendered by your JavaScript framework.
I am using a PHP product called Mautic which leverages the TWIG template language.
They have some tokens that are accessed similar to
{subject}
and
{contactfield=company}
I want to be able to use the | raw function but when I try
{contactfield=company | raw}
it breaks on me.
If I set a variable then I can use the double curly braces and the functions like raw.
So I am thinking that I need to set a variable to the contactfield=company and then I can access it via the double curly braces. This is how I tried to do it but no luck.
{% set myvar = contactfield=company %}
I tried to use the dump() to guess at what the variable name might be in the context but it appears that command is disabled.
I'm not sure what the syntax should be.
UPDATE
I ran the following code
<ol>
{% for key, value in _context %}
<li>{{ key }}</li>
{% endfor %}
</ol>
and got this result
isNew
slots
content
email
template
basePath
app
cfos
_parent
I suspect that the {contactfield=company} is probably some shorthand for an attribute on one of these variables but not sure how I can dig into the top level context variables to see what other data may be lurking underneath.
I tried using {{dump()}} in the template but that seems to be disabled.
If I knew how to inspect these top level variables I might be able to figure out where this information lives. Unfortunately I don't have access to the PHP environment so I have to discover the information through trial and error.
I'm using PHP Laravel framework and I came to some code examples where {{ }} is use inside a html code, like this:
<link rel="stylesheet" href=" {{ URL::to('css/app.css') }} ">
My conclusion is that the {{ }} are used to write no-HTML code inside the HTML, is that correct?
And for what is the { } used?
Thanks for your answer.
There is no { } in Blade, {{ }} displays escaped data and {!! !!} displays unescaped data.
By default, Blade {{ }} statements are automatically sent through
PHP's htmlentities function to prevent XSS attacks. If you do not want
your data to be escaped, you may use the following syntax:
Hello, {!! $name !!}.
https://laravel.com/docs/5.3/blade#displaying-data
That is not php but rather syntax for the blade template system that laravel comes bundeled with.
In short, {{$aPhpVariable}} is basically compiled to <?= htmlentities($aPhpVariable) ?> (or even <?php echo htmlentities($aPhpVariable); ?>), but from what I know, there is no single bracket ({}) syntax.
You can also use normal php code inside blade templates or just treat it as a normal html page, but it does have a bunch of things that makes building the views a lot easier.
Go check out the docs for more info about blade!
To escape data use
{{ $data }}
If you don't want the data to be escaped use :
{!! $data !!}
{} is part of the syntax of PHP code. It's used in functions, blocks of code and objects.
{{ }} it part of Laravel's Blade template syntax, echoing something in a Laravel project.
Using Symfony 2, I'm trying to print out a label by using
form_widget(form.client)
The label I'm trying to print is containing actual HTML markup:
$builder->add('client', 'text', array('label' => 'Client'));
But Symfony autoescapes the label and prints it out as text and not as HTML. So I've tried to use both
form_widget(form.client) | raw
and
{% autoescape false %} form_widget(form.client) {% endautoescape %}
but none of those two methods helped me, the output is still regarded as text and not HTML.
Am I missing some setting or am I using it wrong?
Thanks!
Don't put HTML into your classes! Use Custom Form rendering to customize how your labels are rendered.
I think Twig filters should be inside the parenthesis and not outside - have you tried like this :
form_widget(form.client | raw)
Also, I would recommend adding the tag not in the class but directly in the template :
{{ form_label(form.client) }}