On Tue, May 14, 2013 at 2:34 AM, Antoine Musso <hashar+wmf(a)free.fr> wrote:
Le 14/05/13 02:23, Jon Robson a écrit :
Following on from Antoine's post, I
experimented recently with using a
template engine Mustache that works on both javascript and PHP and
allows separation of HTML templates from PHP code.
Another template engine is Twig. It is used by the Silex micro engine
(based on Symfony2). See:
http://twig.sensiolabs.org/
Examples:
{{ foobar }} # not escaped
{{ unsafevar|escaped }} # yeah protection!
You can iterate:
<ul id="users">
{% for user in users %}
<li><a href="{{ user.href }}">{{ users.name
}}</a></li>
{% endfor %}
I'll actually admit this is one reason why templating makes me
nervous. DOM text, attribute values, and urls all need different
validation and escaping, so you can't just look at the template and
make sure everything has |e, nor can you look at the PHP and see that
everything is escaped before being passed to the template. And looking
at both and making sure that each variable in the output has been
correctly escaped for the html context in the PHP is a lot more work
than just seeing $output .= Html::element( ... ).
It looks like we can define custom filters in twig, so we may be able
to move the review to making sure the template correctly escapes the
value for the context with the correct function. Something like:
<ul id="users">
{% for user in users %}
<li><a href="{{ user|getMediaWikiUserURL }}">{{ users.name|e
}}</a></li>
{% endfor %}
The problem is that it is just for PHP whereas Mustache has
implementations in Javascript as well.
--
Antoine "hashar" Musso
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l