[wp-trac] [WordPress Trac] #60229: HTML API: Introduce HTML Templating

WordPress Trac noreply at wordpress.org
Thu Jan 11 03:41:51 UTC 2024 

#60229: HTML API: Introduce HTML Templating
-------------------------+-------------------------------------------------
 Reporter:  dmsnell      |      Owner:  (none)
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  6.5
Component:  HTML API     |    Version:  trunk
 Severity:  normal       |   Keywords:  has-patch has-unit-tests needs-dev-
  Focuses:               |  note dev-feedback
-------------------------+-------------------------------------------------
 WordPress relies on developers remembering to perform proper escaping when
 building HTML strings. There's no mechanism to ensure that output HTML is
 safe. This patch introduces `WP_HTML_Template::render( $template, $args )`
 to do just that.

 {{{#!php
 <?php
 echo WP_HTML_Template::render(
         <<<HTML
 <a href="</%url>">
         <img src="</%url>">
         </%url>
 </a>
 HTML,
         array( 'url' =>
 'https://s.wp.com/i/atat.png?w=640&h=480&alt="atat>atst"' ),
 );
 }}}

 outputs

 {{{
 <a
 href="https://s.wp.com/i/atat.png?w=640&h=480&alt="atat>atst"">
 <img
 src="https://s.wp.com/i/atat.png?w=640&h=480&alt="atat>atst"">
 https://s.wp.com/i/atat.png?w=640&h=480&alt="atat>atst"
 </a>
 }}}

 This proposed templating syntax uses closing tags containing invalid tag
 names, so-called "funky comments," as placeholders, because they are
 converted to HTML comments in the DOM and because there is near universal
 existing support for them in all browsers, and because the syntax cannot
 be nested. The `%` at the front indicates that the value for the
 placeholder should come from the args array with a key named according to
 what follows the `%`.

 This proposal does not yet consider nested HTML, or "raw" HTML. It
 currently escapes all content. It would be great if the templating engine
 can properly and safely handle HTML passed into it without risking
 unintentional exposure, but there must also be some way to communicate
 that a value inside is already escaped //and that its safety is
 maintained//.

 By relying on the HTML API, this templating only supports replacement of
 values //inside// HTML attributes or in plaintext (`#text`) nodes. It's
 not possible to inject HTML tags (unless nested support can be safely
 added), comments, or other HTML syntax.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/60229>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list