ZF-2283: View Helper htmlList() needs to escape output (but currently doesn't).

Issue Type: Improvement Created: 2007-12-07T10:46:53.000+0000 Last Updated: 2008-03-21T16:25:32.000+0000 Status: Resolved Fix version(s): - 1.5.0 (17/Mar/08)

Reporter: Carlton Gibson (carlton) Assignee: Michal Minicki (martel) Tags: - Zend_View

Related issues: Attachments:


-- Carlton Gibson wrote (on Friday, 07 December 2007, 12:18 PM +0000): I've been using the Zend_View_Helper htmlList, but from the code it looks like it fails to escape values properly.

The guidelines for writing view helpers state:

In general, the class should not echo or print or otherwise generate output. Instead, it should return values to be printed or echoed. The returned values should be escaped appropriately.

I've been using the following construct in my view scripts to get round this:

listArray[$i] = $this->escape($this->listArray[$i]); } echo $this->htmlList($this->listArray); ?> Obviously this would be better off in a function to start with but I'm thinking of writing it into a custom helper.

My thought though is that this should perhaps go in the standard ZF version. Does anyone know why htmlList() doesn't do the escaping? Do people think this is worth doing?

Absolutely htmlList() should escape values. Could you add an issue to the tracker for this, so we don't forget about it?


-- Matthew Weier O'Phinney PHP Developer | Zend - The PHP Company |


Posted by Carlton Gibson (carlton) on 2007-12-12T04:17:32.000+0000

I think two relevant cases here:

  1. You pass htmlList() an array of values which you want escaping. This could be the default. 2) You pass htmlList() something like an array of links, which you don't want escaping.

In the second case you should be able to pass htmlList() FALSE as a second parameter whereby you explicitly take the responsibility of escaping the output elsewhere upon yourself.

As long as the setView() method was present in the HtmlList class definition, something like the above quick fix could be conditionally placed at the beginning of the existing htmlList() method and the helper should work as desired...


public function htmlList($inputArray, $escape=TRUE) { {quote} if ($escape=TRUE) { for ($i=0;$i<count($inputArray);++$i) { //Calling Parent View's escape() method, via reference from $this->setVeiw() $inputArray[$i] = $this->escape($inputArray[$i]); } } {quote}

//Existing htmlList Code Here...


Posted by Jordan Ryan Moore (jordanryanmoore) on 2007-12-12T16:41:38.000+0000

Proposed patch that doesn't break BC:

<pre class="highlight">
--- /library/Zend/View/Helper/HtmlList.php  (revision 7096)
+++ /library/Zend/View/Helper/HtmlList.php  (working copy)
@@ -44,9 +44,10 @@
      * @param array   $items   Array with the elements of the list
      * @param boolean $ordered Specifies ordered/unordered list; default unordered
      * @param array   $attribs Attributes for the ol/ul tag.
+     * @param boolean $escape  Escape list item contents
      * @return string The list XHTML.
-    public function htmlList(array $items, $ordered = false, $attribs = false)
+    public function htmlList(array $items, $ordered = false, $attribs = false, $escape = false)
         if (!is_array($items)) {
             require_once 'Zend/View/Exception.php';
@@ -57,6 +58,9 @@
         foreach ($items as $item) {
             if (!is_array($item)) {
+                if ($escape && $this->view instanceof Zend_View_Abstract) {
+                    $item = $this->view->escape($item);
+                }
                 $list .= '' . $item . '';
             } else {
                 if (5 < strlen($list)) {

Posted by Michal Minicki (martel) on 2008-01-15T04:11:42.000+0000

Fixed in revision 7442. Thanks, Carlton.

Posted by Michal Minicki (martel) on 2008-01-15T04:19:10.000+0000

Revision 7743 allows for switching escaping off.

Minor BC break: All Zend Framework view helpers escape output by default so escaping must be switched off if one wants to pass an unmodified value.

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.