Actions
Feature #8000
openUse XML parser for WTemplate rendering instead of simple text subsitution
Start date:
01/27/2021
Due date:
% Done:
0%
Estimated time:
Description
Right now, we're doing a simple find and replace when writing out the template text of WTemplate.
However, if we properly use an XML parser, we can do things like:
- Strip comments
- Do context sensitive escaping: right now we always assume variables are in the text body. However, users may use them inside of attributes like this
<a href="${var}"></a>
. This should be properly escaped as an attribute. Sometimes users may be tempted to use this with untrusted text and cause XSS issues.
It would also be nice to be able to do the following, but they're more advanced, and are actually not really possible within the current API because of the virtual functions of WTemplate
:
- Partial template updates when conditions change (we can't really know when they change when
conditionValue(...)
is overridden, and eventemplateText()
is virtual) - Retrieve a list of all variables in the template
- Enforce the rule that widgets only occur once in a template
The encode()
function can be rolled into this, instead of having multiple passes.
Updated by Korneel Dumon over 3 years ago
Regarding the example, the href attribute cannot be easily escaped to protect against XSS.
In this case, a possibility is to remove it or allow a user to bind an UnsafeXHTML string (which they then have to escape themselves).
Actions