Reputation: 740
What's the best way to escape vars in Zend_View automatically?
A week or two ago I just started using Zend Framework seriously and have had trouble escaping manually with Zend_View::escape(). Does anyone knows how to escape vars in templates (Zend_View templates) automatically without using $this->escape(), or any other tricky ways like output buffering and PREG replacing *.phtml files.
I'd like to know the best practice in this case.
Upvotes: 2
Views: 1198
Answers (5)
Reputation: 371
ZendX_View_Autoescaping, this project provides you a ViewRenderer with autoescaping of all assigned view variables.
https://github.com/jensklose/ZendX_View_Autoescaping
Try it!
It supports:
- escaping into deep data structures
- escaping the array keys
- possibility to switch the escaping context (html, json, nofilter)
Upvotes: 0
Reputation: 405
Over at the PiKe project we build a custom stream wrapper that automatically escapes all view variables, with a MINIMAL performance hit! You can still get the RAW value with:
<?=~ $variable ?>
Notice the "~" character. Checkout http://code.google.com/p/php-pike/wiki/Pike_View_Stream
I know you said that you want to avoid "tricky ways like output buffering and PREG replacing *.phtml files.", but I still think it's a very neat way to fix auto escaping in Zend Framework 1.
Upvotes: 2
Reputation: 43243
You can extend Zend_View to create a custom view class which autoescapes things, or you can use a view helper to turn autoescaping on/off.
I have written a blogpost about it, with example code for both approaches: How to automatically escape template variables in Zend_View
Upvotes: 2
Reputation: 12843
You have asked for best practice then what you are doing is already it. Wait till when you want to display your data before modifying it only for output reasons.
I understand you find writting ->escape() everytime tedious but its still the way to go.
If you where to auto escape everything then you would run into problems one day when you want/need unescaped data.
Upvotes: 0
Reputation: 4335
You said "automatically", so I believe that that means when you do echo $this->var; you want it escaped. Well, if that's the case, maybe you could do the escaping when the variable is set to the view. AFAIK it's done in the Zend_View_Abstract class' __set magic method* (around line 300). Changing the core ZF code is not recommended, so you could go by extending Z_V_A or Z_V and just override the __set method.
*I'm not 100% sure that Z_V_A::__set is the only place where the params are assigned to the view, but I think it should be. Can't think of any other place for that.
Edit: Personally, I'd avoid this and just stick with the good ol' $this->escape(). More typing but less magic going on in the background.
Upvotes: 0
Related Questions
- How to automatically escape variables in a Zend Framework 2 view
- In ZF2 how to Escape HTML in Custom View Helpers
- Escaping output in a Zend View Helper
- Zend View - Automatically escape assigned variables
- Zend escape() function doesn't work
- Changing how variables are retrieved in a Zend Framework view script
- Automatic variable escaper for Zend Framework
- Zend Framework disable string escape in ->insert
- Always escape output in view? Why?
- What is the best way to escape user output with the Zend Framework?