Using Symfony 2, I'm trying to print out a label by using
form_widget(form.client)
The label I'm trying to print is containing actual HTML markup:
$builder->add('client', 'text', array('label' => 'Client'));
But Symfony autoescapes the label and prints it out as text and not as HTML. So I've tried to use both
form_widget(form.client) | raw
and
{% autoescape false %} form_widget(form.client) {% endautoescape %}
but none of those two methods helped me, the output is still regarded as text and not HTML.
Am I missing some setting or am I using it wrong?
Thanks!
Don't put HTML into your classes! Use Custom Form rendering to customize how your labels are rendered.
I think Twig filters should be inside the parenthesis and not outside - have you tried like this :
form_widget(form.client | raw)
Also, I would recommend adding the tag not in the class but directly in the template :
{{ form_label(form.client) }}
Related
Code
We have the following Twig HTML template:
<div id="error">{{ flash.error | raw }}</div>
and we flash messages in multiple places, e.g.:
$app->flash('error', "Some error with this $user_supplied string.");
$app->flash('error', "Hello, <b>World</b>!");
Question
This is obviously a security concern, $user_supplied could include javascript. I would like to replace {{ flash.error | raw }} with {{ flash.error }}, while still allowing HTML in some cases.
What I would like to have:
<div id="error">{{ flash.error }}</div>
----
$app->flash('error', "Some error with this $user_supplied string.");
$app->flash('error', HTML("Hello, <b>World</b>!"));
That way all developers realize the dangers. I can probably hack this together, but is there maybe already a built-in way or a better alternative?
Hm, Perhaps you can check the contents of the variable in the PHP code before you pass it to the template. Then use some of PHP's built in string parsing functions to check the variable for the existence of certain tags.
If (for example) script tags are found, you could set the variable to null or false and then handle that value in your template.
Another way I can think of is to use the striptags filter. You define your allowed tags and what isn't defined will be removed. This way you can output what you want and only keep your allowed tags.
https://twig.symfony.com/doc/2.x/filters/striptags.html
{% set some_var = '<b><script>console.log(123)</script></b>' %}
<div id="error">{{ some_var|striptags('<b><strong>')|raw }}</div>
You can use escape twig variable for specific needs.
{{ flash.error|escape('js') }}
The escape filter supports the following escaping strategies:
html, js, css, url, html_attr
You can do this in your twig configuration, without knowing much about your project I am going to assume you are using Twig View. At the point of configuring Twig View for your Slim project you can do the following:
$view = new \Slim\Views\Twig('path/to/templates', [
'cache' => 'path/to/cache',
'autoescape' => 'js'
]);
That should have it configured globally for JS only escaping. I have not tested this so I am not sure if it works.
For the first time, i am working on Symfony widgets.
{% render "EducateToolsBundle:Shared:selectMenu" with {'entity': 'Stores'} %}
its Meaning is SharedController -->selectMenuAction
{% form_theme form 'EducateToolsBundle:shared:_form_theme.html.twig' %}
What is the meaning of this.
From where i am getting the values to this form .?
You must look at selectMenuAction() method in the Shared controller. It is that function that set what template is used. if using the default Symfony coding standards it should be something like selectMenu.html.twig in a Shared sub folder in the Resources/views of the bundle.
You should looks at the documentation first :
https://symfony.com/doc/current/form/form_customization.html
Because we won't teach you symfony here, it's very well explain in the documentation and it is a task too big for us.
In your case theForm.id is the field of the formType we want to displays.
If we want to display the <input> of an form of user lastname we would use
form_widget(userForm.lastname)
form_widget tells symfony to display only the widget (the ) of the id given.
if you want to have a label + input + the errors of the field you could use
form_row(userForm.lastname)
wich is almost equal to
<div>
{{ form_label(form.lastname) }}
{{ form_errors(form.lastname) }}
{{ form_widget(form.lastname) }}
</div>
(it depends of the form theme, but you should read the doc for the details ;) )
I have picked up the basics of using TWIG to create my site. I suppose I know how to use {%extend%} {%block%} {%include%} and {%set%}, in the most general sense.
I would like to include a block of code from within another twig file without including the whole file - as opposed to {% include 'file.twig' %}.
I have figured out how to set a variable in file.twig and output it using {{ variable | raw }}. I would like to do that in another file, like you would with using jQuery's .load function.
I swear the twig documentation does not seem to touch on this, it seems like really obvious and basic functionality. I have messed around with various combinations of include, for, with, in and only, colons and commas and whatever | is, and nothing.
I believe you are looking for horizontal inheritance via the use tag:
The use statement tells Twig to import the blocks defined in blocks.html into the current template (it's like macros, but for blocks)
The confusing part is that by itself, {% use ... won't actually insert the content of the blocks in the referenced template. To do that, you must use the block(...) function:
index.twig
{% use "blocks.twig" %}
{{ block('name') }}
blocks.twig
{% block name %}
<h1>Alex Weissman</h1>
{% endblock %}
{% block hobby %}
<p>Blanchin'</p>
{% endblock %}
For a working example, see my TwigFiddle (yes, it's a real thing!): http://twigfiddle.com/jjbfug
There is way to turn autoescaping off in twig template in Symfony2. Like so:
{% autoescape false %}
{{ child.vars.label }}
{% endautoescape %}
How can I do something like this in PHP template? I got expanded choice type in my form, and I need to use images as labels. But Symfony keeps escaping my img tags.
Edit:
Sorry for misunderstood, but php templates have no autoescaping. If you want escaping in php templates you must do:
<?php echo $view->escape($var) ?>
Original answer:
In Twig use raw filter - http://twig.sensiolabs.org/doc/filters/raw.html
{{ child.vars.label | raw }}
I'm developing a simple page with Symfony2, using Twig as template engine.
I have a list of urls, and I'd like to add the Twitter share button for each url. What I do is a simple cycle on the urls array, and the dinaycally set the url for every Twitter button inside the cycle. It looks like that twig encodes the url at first, and the Twitter script encodes it again. So The Twitter share count doesn't match. The code (inside the cycle) is the following, there is another part of Twitter code at the end of the page:
Tweet
The url I get on the rendered page is: http%253A%252F%252Fwww.example.com%252F (two encoding pass)
instead of http%3A%2F%2Fwww.example.com%2F (one encoding pass, correct). It looks like the % is encoded again to %25.
And this doesn't make Twitter count work, because it consider those two as different urls.
I also tried to use some filters, e.g. {{ s.url|raw }}, but it didn't work.
So my question is: how to avoid this? Is there a way to tell twig (or twitter) to not encode the url?
You can always turn autoescaping off in Twig by using the {% autoescape false %} declaration before the code you want to leave raw. This will leave any strings you output unescaped, and thus your URL will not be escaped twice. Make sure you turn autoescaping back on with {% endautoescape %}
{% autoescape false %}
Tweet
{% endautoescape %}
Full Twig HTML Escaping Documentation
An old post but looks like you can use the "raw" filter now. This should do:
{{ s.url|raw }}
http://twig.sensiolabs.org/doc/api.html#escaper-extension