Changeset View
Changeset View
Standalone View
Standalone View
src/docs/contributor/rendering_html.diviner
@title Rendering HTML | @title Rendering HTML | ||||
@group developer | @group developer | ||||
Rendering HTML in the Phabricator environment. | Rendering HTML in the Phorge environment. | ||||
= Overview = | = Overview = | ||||
Phabricator attempts to prevent XSS by treating strings as default-unsafe when | Phorge attempts to prevent XSS by treating strings as default-unsafe when | ||||
rendering. This means that if you try to build HTML through string | rendering. This means that if you try to build HTML through string | ||||
concatenation, it won't work: the string will be escaped by the rendering | concatenation, it won't work: the string will be escaped by the rendering | ||||
pipeline, and the browser will treat it as plain text, not HTML. | pipeline, and the browser will treat it as plain text, not HTML. | ||||
This document describes the right way to build HTML components so they are safe | This document describes the right way to build HTML components so they are safe | ||||
from XSS and render correctly. Broadly: | from XSS and render correctly. Broadly: | ||||
- Use @{function@arcanist:phutil_tag} (and @{function:javelin_tag}) to build | - Use @{function@arcanist:phutil_tag} (and @{function:javelin_tag}) to build | ||||
Show All 29 Lines | content correctly (without double-escaping): | ||||
phutil_tag( | phutil_tag( | ||||
'div', | 'div', | ||||
array(), | array(), | ||||
phutil_tag( | phutil_tag( | ||||
'strong', | 'strong', | ||||
array(), | array(), | ||||
$content)); | $content)); | ||||
In Phabricator, the @{function:javelin_tag} function is similar to | In Phorge, the @{function:javelin_tag} function is similar to | ||||
@{function@arcanist:phutil_tag}, but provides special handling for the | @{function@arcanist:phutil_tag}, but provides special handling for the | ||||
`sigil` and `meta` attributes. | `sigil` and `meta` attributes. | ||||
= Building Blocks: hsprintf() = | = Building Blocks: hsprintf() = | ||||
Sometimes, @{function@arcanist:phutil_tag} can be particularly awkward to | Sometimes, @{function@arcanist:phutil_tag} can be particularly awkward to | ||||
use. You can use @{function@arcanist:hsprintf} to build larger and more | use. You can use @{function@arcanist:hsprintf} to build larger and more | ||||
complex blocks of HTML, when @{function@arcanist:phutil_tag} is a poor fit. | complex blocks of HTML, when @{function@arcanist:phutil_tag} is a poor fit. | ||||
▲ Show 20 Lines • Show All 49 Lines • ▼ Show 20 Lines | @{function:phutil_implode_html}: | ||||
// Render links with commas between them. | // Render links with commas between them. | ||||
phutil_tag( | phutil_tag( | ||||
'div', | 'div', | ||||
array(), | array(), | ||||
phutil_implode_html(', ', $list_of_links)); | phutil_implode_html(', ', $list_of_links)); | ||||
= AphrontView Classes = | = AphrontView Classes = | ||||
Subclasses of @{class:AphrontView} in Phabricator should return a | Subclasses of @{class:AphrontView} in Phorge should return a | ||||
@{class@arcanist:PhutilSafeHTML} object. The easiest way to do this is to | @{class@arcanist:PhutilSafeHTML} object. The easiest way to do this is to | ||||
return `phutil_tag()` or `javelin_tag()`: | return `phutil_tag()` or `javelin_tag()`: | ||||
return phutil_tag('div', ...); | return phutil_tag('div', ...); | ||||
You can use an @{class:AphrontView} subclass like you would a tag: | You can use an @{class:AphrontView} subclass like you would a tag: | ||||
phutil_tag('div', array(), $view); | phutil_tag('div', array(), $view); | ||||
▲ Show 20 Lines • Show All 54 Lines • Show Last 20 Lines |
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0