Restore merge of phutil_tag.
This commit is contained in:
epriestley
@@ -108,13 +108,13 @@ must to maintain backward compatibility.)
|
||||
|
||||
If you need to build a list of items with some element in between each of them
|
||||
(like a middot, comma, or vertical bar) you can use
|
||||
@{function:array_interleave}:
|
||||
@{function:phutil_implode_html}:
|
||||
|
||||
// Render links with commas between them.
|
||||
phutil_tag(
|
||||
'div',
|
||||
array(),
|
||||
array_interleave(', ', $list_of_links));
|
||||
phutil_implode_html(', ', $list_of_links));
|
||||
|
||||
= AphrontView Classes =
|
||||
|
||||
@@ -124,14 +124,6 @@ return `phutil_tag()` or `javelin_tag()`:
|
||||
|
||||
return phutil_tag('div', ...);
|
||||
|
||||
@{class:AphrontView} subclasses can use `renderHTMLChildren()` and
|
||||
`renderHTMLView()` to build @{class@libphutil:PhutilSafeHTML} objects from
|
||||
children or arbitrary lists of components.
|
||||
|
||||
@{class:AphrontView} subclasses should avoid `renderChildren()` and
|
||||
`renderSingleView()` and transition callers to the `HTML` varieties. These older
|
||||
methods do not return @{class@libphutil:PhutilSafeHTML} objects.
|
||||
|
||||
= Internationalization: pht() =
|
||||
|
||||
The @{function:pht} function has some special rules. If any input to
|
||||
@@ -156,16 +148,36 @@ calling @{function:phutil_safe_html} on it. This is **dangerous**, because if
|
||||
you are wrong and the string is not actually safe, you have introduced an XSS
|
||||
vulnerability. Consequently, you should avoid calling this if possible.
|
||||
|
||||
You can use @{function@libphutil:phutil_escape_html} to explicitly escape an
|
||||
HTML string. You should not normally need to use it.
|
||||
|
||||
You can use @{function@libphutil:phutil_escape_html_newlines} to escape HTML
|
||||
while converting newlines to `<br />`.
|
||||
while converting newlines to `<br />`. You should not need to explicitly use
|
||||
@{function@libphutil:phutil_escape_html} anywhere.
|
||||
|
||||
If you need to apply a string function (such as `trim()`) to safe HTML, use
|
||||
@{method@libphutil:PhutilSafeHTML::applyFunction}.
|
||||
|
||||
If you need to extract the content of a @{class@libphutil:PhutilSafeHTML}
|
||||
object, you should call `getHTMLContent()`, not cast it to a string. Eventually,
|
||||
we would like to remove the string cast entirely.
|
||||
|
||||
Functions @{function@libphutil:phutil_tag} and @{function@libphutil:hsprintf}
|
||||
are not safe if you pass the user input for the tag or attribute name. All the
|
||||
following examples are dangerous:
|
||||
|
||||
counterexample
|
||||
phutil_tag($evil);
|
||||
|
||||
phutil_tag('span', array($evil => $evil2));
|
||||
|
||||
// Use PhutilURI to check if $evil is valid HTTP link.
|
||||
phutil_tag('a', array('href' => $evil));
|
||||
|
||||
phutil_tag('span', array('onmouseover' => $evil));
|
||||
|
||||
hsprintf('<%s>%s</%s>', $evil, $evil2, $evil);
|
||||
|
||||
// We have a lint rule disallowing this.
|
||||
hsprintf($evil);
|
||||
|
||||
= Deprecated Functions =
|
||||
|
||||
The functions @{function@libphutil:phutil_render_tag} and
|
||||
|
||||
Reference in New Issue
Block a user