How to make Smarty automatically avoid all template variables, but ignore captures

Question

How to make Smarty automatically avoid all template variables, but ignore captures

I want to automatically avoid all the template variables, that is, I want them to be escaped without having to write |escape all the time. Thus, I have included the $escape_html parameter.

However, it appears that Smarty handles variables created using {capture} same way, although they can be considered reliable input. We have a lot in our code base, and writing nofilter everywhere is almost as annoying as writing |escape .

Is there really a solution to this? Or are $escape_html and {capture} incompatible?

+4

smarty smarty3

Jens ljungblad Jul 11 '12 at 9:52

source share

1 answer

rodneyrehm · Accepted Answer · 2012-07-11T10:41:21+0000

$escape_html and {capture} by definition not incompatible, no.

$escape_html (as well as {setfilter} and default_modifiers ) suffer from the problem of not knowing the context of the variable. They are executed whenever a variable should be output. There is no "where does this variable come from" tracking, which would allow the Smarty compiler to implement "hey, the variable $ foo was defined by means of capture and, thus, has already escaped, not to escape from it." It even gets worse when considering scenarios such as "inside the capture escape group for javascript, the resulting escape as html string."

Your options are pretty limited right now:

| avoid everything you need to run away
nofilter everything that should not be escaped (again)

I will discuss this issue with the Smarty compiler developer to find out what we can do. But, if we find a solution, it will be introduced with Smarty 3.2 - the earliest. So for now, escape / nofilter manually.

How to make Smarty automatically avoid all template variables, but ignore captures

More articles: