htmlspecialchars or $this->escape

[Matt Thomas]

Hi Everyone,

I've noticed both htmlspecialchars and $this->escape being used throughout the CMS. Is there a preference of one over the other? Are there times when one is better than the other? 

At https://groups.google.com/d/topic/joomla-dev-general/ErYGl1zMVwc/discussion Rouven mentioned a preference of htmlspecialchars() and suggested deprecating the escape() function.

Any thoughts?

Best,

Matt Thomas

Founder betweenbrain™

Lead Developer Construct Template Development Framework

Phone: 203.632.9322
Twitter: @betweenbrain

Github: https://github.com/betweenbrain

[Mark Dexter]

Well, we should decide on an approach. I don't really care that much. $this->escape is how we've done it historically, but Rouven thinks htmlspecialchars is cleaner.

What do others think? Thanks. Mark

--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.
To post to this group, send an email to joomla-de...@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-gene...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/joomla-dev-general?hl=en-GB.

[Niels Braczek]

Am 24.01.2012 16:17, schrieb Matt Thomas:

> I've noticed both htmlspecialchars and $this->escape being
> used throughout the CMS. Is there a preference of one over the other? Are
> there times when one is better than the other?

The escape method depends on the view/document type. htmlspecialchars()
is suitable for HTML and maybe XML views, but not for fx. raw view,
where no escaping should happen. Other view (or document) types may
require totally different kinds of escaping.

So using JView::escape() is the better option.

Regards,
Niels

--
| http://barcamp-wk.de · 1. Barcamp Westküste 2./3. März 2012 |
| http://www.bsds.de · BSDS Braczek Software- und DatenSysteme |
| Webdesign · Webhosting · e-Commerce · Joomla! Content Management |
------------------------------------------------------------------

[Matt Thomas]

Niels,

Are you suggesting that JView::escape() could be used everywhere, and in place of htmlspecialchars?

Best,

Matt Thomas

Founder betweenbrain™

Lead Developer Construct Template Development Framework

Phone: 203.632.9322
Twitter: @betweenbrain

Github: https://github.com/betweenbrain

[Mark Dexter]

$this->escape is only available in views. We also escape output in other places, such as modules. We don't have that method for modules at this point. Mark

[Matt Thomas]

Ah, hence using both methods. Thanks for the clarification! I was finding it very confusing.

Would be it safe to assume that $this->escape won't be deprecated at any point soon then?

Best,

Matt Thomas

Founder betweenbrain™

Lead Developer Construct Template Development Framework

Phone: 203.632.9322
Twitter: @betweenbrain

Github: https://github.com/betweenbrain

[Rouven Weßling]

On 24.01.2012, at 16:30, Niels Braczek wrote:

The escape method depends on the view/document type. htmlspecialchars()
is suitable for HTML and maybe XML views, but not for fx. raw view,
where no escaping should happen. Other view (or document) types may
require totally different kinds of escaping.

So using JView::escape() is the better option.

I never saw an opportunity to share code between a raw and an HTML view, so why don't I just use the matter of escaping I see as the most fitting?

On 24.01.2012, at 16:43, Matt Thomas wrote:

Ah, hence using both methods. Thanks for the clarification! I was finding it very confusing.

Would be it safe to assume that $this->escape won't be deprecated at any point soon then?

I think the most recent conset result was to get rid of the dynamic nature of the escape() function eventually and to deprecate the setEscape() function. Some people plan a revamp of the MVC package anyways (that will hopefully part of 3.0) so for now I think you can assume that escape() won't deprecated in 3.0 - whether it will stay depends on the MVC revamp.

Best regards

Rouven

[Niels Braczek]

Am 24.01.2012 16:34, schrieb Matt Thomas:

> Are you suggesting that JView::escape() could be used everywhere, and in
> place of htmlspecialchars?

At the end, yes. I'm only concerned about, whether JView is the right
place for the method to be. I think, JDocument is more appropriate.
JView should just provide a proxy to the (not yet existing)
JDocument::escape(). That way, views and templates still can use
$this->escape(), and the escape method is available to modules and other
stuff.

[Rouven Weßling]

On 24.01.2012, at 16:50, Niels Braczek wrote:

> At the end, yes. I'm only concerned about, whether JView is the right
> place for the method to be. I think, JDocument is more appropriate.
> JView should just provide a proxy to the (not yet existing)
> JDocument::escape(). That way, views and templates still can use
> $this->escape(), and the escape method is available to modules and other
> stuff.

As far as I know it's still a possibility that JDocument is gonna get deprecated. I think in the next few week a discussion about a new MVC pattern will start in the platform. I suggest to bring this topic up again at that time.

Rouven

[Matt Thomas]

Thanks! We'll keep an eye out for that discussion.

Best,

Matt Thomas

Founder betweenbrain™

Lead Developer Construct Template Development Framework

Phone: 203.632.9322
Twitter: @betweenbrain

Github: https://github.com/betweenbrain

[Andrew Eddie]

There's actually no reason why modules can't use JView so that all layouts can use $this->escape as well as the other benefits of JView ($this->baseurl comes to mind).  JView is not for the exclusive use of components.

Regards,

Andrew Eddie

http://learn.theartofjoomla.com

[Matt Thomas]

Could templates also use JView, therefore allowing a standardized method of escaping data?

Best,

Matt

Sent from my phone that uses an open source operating system.

--

You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.

To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-general/-/fIeTRvit2KYJ.

[Andrew Eddie]

It's not without caveats but I don't see why not. Conversely, it
would be nice for all layouts to support jdoc tags as well.

Regards,
Andrew Eddie
http://learn.theartofjoomla.com - training videos for Joomla 1.7 developers

[Matt Thomas]

The reason I originally asked is that I found it a bit confusing to see two methods of escaping being used. It would be fantastic to be able to standardize on one method, if that's possible.

May I ask what those caveats may be ;)

Yes, it would be absolutely cool if all layouts supported jdoc tags. I'd love to see that happen.

Best,

Matt Thomas

Founder betweenbrain™

Lead Developer Construct Template Development Framework

Phone: 203.632.9322
Twitter: @betweenbrain

Github: https://github.com/betweenbrain

[Andrew Eddie]

The caveats are that the template does a few things slightly
differently and I'm not sure what the ideal balance would be without
looking at it in detail (or we need to completely rethink the markup
of a templates and/or layouts - XSLT or a hybrid XML model like we
used to have with patTemplate could be on the cards). Hopefully that
kind of detail will come out in the review of the MVC. Whatever the
case, I fully support trying to standardise all the "similar" types of
output because, and I agree, it's confusing to remember what works, or
doesn't, where.

Regards,
Andrew Eddie
http://learn.theartofjoomla.com - training videos for Joomla 1.7 developers