On Tue, May 14, 2013 at 2:34 AM, Antoine Musso hashar+wmf@free.fr wrote:
Le 14/05/13 02:23, Jon Robson a écrit :
Following on from Antoine's post, I experimented recently with using a template engine Mustache that works on both javascript and PHP and allows separation of HTML templates from PHP code.
Another template engine is Twig. It is used by the Silex micro engine (based on Symfony2). See: http://twig.sensiolabs.org/
Examples:
{{ foobar }} # not escaped {{ unsafevar|escaped }} # yeah protection!
You can iterate:
<ul id="users"> {% for user in users %} <li><a href="{{ user.href }}">{{ users.name }}</a></li> {% endfor %}
I'll actually admit this is one reason why templating makes me nervous. DOM text, attribute values, and urls all need different validation and escaping, so you can't just look at the template and make sure everything has |e, nor can you look at the PHP and see that everything is escaped before being passed to the template. And looking at both and making sure that each variable in the output has been correctly escaped for the html context in the PHP is a lot more work than just seeing $output .= Html::element( ... ).
It looks like we can define custom filters in twig, so we may be able to move the review to making sure the template correctly escapes the value for the context with the correct function. Something like:
<ul id="users"> {% for user in users %} <li><a href="{{ user|getMediaWikiUserURL }}">{{ users.name|e }}</a></li> {% endfor %}
The problem is that it is just for PHP whereas Mustache has implementations in Javascript as well.
-- Antoine "hashar" Musso
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l