Is it safe to use ['view'] as-is in tpl?
Amir Simantov - July 5, 2009 - 23:02
| Project: | Content Templates (Contemplate) |
| Version: | 6.x-1.1 |
| Component: | Code |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Description
I use this module to figure out what are the actual values in a CCK field I make, and then I use it in tpl file, like this:
<?php print $node->field_source[0]['value'] ?>I got some opinion from a colleague that is is not XSS-safe. However, do I must check_plain() each such a value or may I uses the safe array item:
<?php print $node->field_source[0]['safe'] ?>Of course, in a situation like this I don't want the ['view'] array item because I want to display or use the value in some other way.
Any help will be appreciated! Thanks!
#1
A good option is to look in the Variables below the template you are modifying
Teaser Variables
Body Variables
RSS Variables
and then read the note that is under the box
#2
Thanks but I am not quite sure what do you mean. I know I have the Variables comments in the template - I actually do ues the $node. However, as it is raw data, it maybe unsafe, as indeed stated. Still, there IS a ['safe'] array item inside the CCK field and my question is whether I may use it instead of calling check_plain() for when using the ['value'] array item.
"read the note that is under the box" - did not get it...
Thanks once again, I appreciate the help!
#3
As to read the note...
In the note it states that those variables marked with red ** (asterix) are unsafe, and what to do with them :)
#4
I have no such help in my tpl.
You did not really help...
#5
Ok, not sure whats going on. take a look at the attached screenshot
look in Body variables or which section your working with, and apply the comment in the note
"Click Property...." where it applies
#6
Well well well... I FINALLY understood what you were talking about :-)
Thanks!