What's the best way to 开发者_如何学运维escape data from Models or Controllers to easily and safely display them in views. It seems kind of overkill to use html::specialchars($varname) for every data variable. It can also cause problems if a programmer forgets to "escape" data.
I've also encountered problems escaping ORM objects within loops.
I wrote the Twig module gimpe has suggested and by default it automatically escapes all data. You might also want to look into Kostache. It's a class based view system that does automatic escaping.
Regarding your comment:
Is there a way to do this directly from the Model
You don't want to escape the data here because HTML escaped data doesn't make sense in all output formats, eg: JSON and XML.
Do the escaping at the view level.
One way to achieve that is using a templating engine like Twig for the views. (see KO3 module http://github.com/ThePixelDeveloper/kohana-twig)
Then you simply need to load the Escaper extension:
Twig_Extension_Escaper: Adds automatic output-escaping and the possibility to escape/unescape blocks of code.
Ref.: http://www.twig-project.org/book/03-Twig-for-Developers
精彩评论