views:

56

answers:

2

What's the best way to escape data from Models or Controllers to easily and safely display them in views. It seems kind of overkill to use html::specialchars($varname) for every data variable. It can also cause problems if a programmer forgets to "escape" data.

I've also encountered problems escaping ORM objects within loops.

A: 

One way to achieve that is using a templating engine like Twig for the views. (see KO3 module http://github.com/ThePixelDeveloper/kohana-twig)

Then you simply need to load the Escaper extension:

Twig_Extension_Escaper: Adds automatic output-escaping and the possibility to escape/unescape blocks of code.

Ref.: http://www.twig-project.org/book/03-Twig-for-Developers

gimpe
Is there a way to do this directly from the Model
Andres
A: 

I wrote the Twig module gimpe has suggested and by default it automatically escapes all data. You might also want to look into Kostache. It's a class based view system that does automatic escaping.

Regarding your comment:

Is there a way to do this directly from the Model

You don't want to escape the data here because HTML escaped data doesn't make sense in all output formats, eg: JSON and XML.

Do the escaping at the view level.

The Pixel Developer

related questions