khanh.pndc/nextcloud-docs
1
0
Fork 0
mirror of https://github.com/nextcloud/documentation.git synced 2026-01-04 10:46:21 +07:00
Code Issues Packages Projects Releases Wiki Activity
Files
dc0a87fabca6c6aff530fa855a9194e645223c58
nextcloud-docs/developer_manual/templates.rst
Lukas Reschke c6a644c563 Owncloud => ownCloud
2012-10-29 15:01:13 +01:00

121 lines
3.2 KiB
ReStructuredText
Raw Blame History

Templates
=========
ownCloud uses its own templating system.
TODO: Security: disallow print(), echo, <?=, error_log()
Template class
--------------
Template syntax
---------------
.. php:function:: p($data)
:param $data: the variable/array/object that should be printed
This is the print statement which prints out XSS escaped values. ownCloud does not allow the direct usage of echo or print but enforces wrapper functions to prevent unwanted XSS vulnerabilities. If you want to print unescaped data, look at print_unescaped
**Example:**
.. code-block:: php
<?php $names = array("John", "Jakob", "Tom"); ?>
<div>
<ul>
<?php foreach($names as $name){ ?>
<li><?php $this->p($name); ?></li>
<?php } ?>
</ul>
</div>
.. php:function:: print_unescaped($data)
:param $data: the variable/array/object that should be printed
This function does not escape the content for XSS. This would typically be used to print HTML or JavaScript that is generated by the server and **checked for XSS** vulnerabilities.
**Example:**
.. code-block:: php
<?php $html = "<div>Some HTML</div>"; ?>
<div>
<?php $this->print_unescaped($html); ?>
</div>
.. php:function:: link_to($app, $file, [$args])
:param string $app: the name of your app as a string. If the string is empty, ownCloud asumes that the file is in /core/
:param string $file: the relative path from your apps root to the file you want to access
:param array $args: the GET parameters that you want set in the URL in form key => value. The value will be run through urlencode()
:returns: the absolute URL to the file
This function is used to produce generate clean and absolute links to your files or pages.
**Example:**
.. code-block:: php
<?php
// this will produce the link:
// index.php/news/pages/weather.php?show=berlin
?>
<ul>
<li><a href="<?php
$this->print_unescaped(
$this->link_to('news', 'pages/weather.php',
array("show" => "berlin"));
);
?>">Show Weather for Berlin</a></li>
</ul>
.. php:function:: image_path($app, $image)
:param string $app: the name of your app as a string. If the string is empty, ownCloud looks for the image in core
:param array $image: the filename of the image
:returns: the absolute URL to the image as a string
This function looks up images in several common directories and returns the full link to it. The following directories are being searched:
- /themes/$theme/apps/$app/img/$image
- /themes/$theme/$app/img/$image
- /$app/img/$image
When you pass an empty string for $app, the following directories will be searched:
- /themes/$theme/apps/$app/img/$image
- /themes/$theme/core/img/$image
- /core/img/$image
**Example:**
.. code-block:: php
<img src="<?php $this->print_unescaped(
$this->image_path('news', 'starred.svg');
); ?>" />
.. php:function mimetype_icon($mimetype)
:param array $mimetype: the mimetype for which we want to look up the icon
:returns: the absolute URL to the icon
TBD
Further reading
---------------
- http://en.wikipedia.org/wiki/Cross-site_scripting
- https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
- https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
Reference in New Issue View Git Blame Copy Permalink