yii2: BaseHtml::activeHint does not encode hint content
What steps will reproduce the problem?
class Test extends Model
{
public $attr;
public function attributeHints()
{
return [
'attr' => 'An hint with > "3" unquoted elements'
];
}
}
echo $form->field($test, 'attr');
Generates broken HTML because of chars in model hint.
What is the expected result?
We can add support of ‘encode’ option to BaseHtml.
echo $form->field($test, 'attr', [
'hintOptions' => [
'encode' => true
]
]);
or
BaseHtml::activeHint($model, 'attr', [
'encode' => true
]);
Additional info
| Q | A |
|---|---|
| Yii version | 2.0.39 |
| PHP version | 7.4 |
| Operating system | Debian |
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 35 (35 by maintainers)
Overall it can not be efficiently done with Yii 2 without too much breakage. Closing because of that. Will contiue thinking about it for Yii 3.
Unquoted content must not be used in HTML
No, because of “>” HTML is broken
This kind of reasoning would let us end with everything being encoded by default. If developer uses something that comes from user and wants to display it, it should be encoded but it is developer’s responsibility in that case because framework is not forcing to use risky input here. We are doing the same for labels - in both cases only options are encoded because these go as HTML attributes. I would like to hear @dicrtarasov response about all this.
I guess that’s because it’s not a good practice to have HTML in your models. @dicrtarasov right?