search

getkirby / kirby

Kirby's core application folder
https://getkirby.com
Other
1.32k stars 168 forks source link

Pages section info does not render HTML returned by a model or method anymore #3817

Closed REHvision closed 3 years ago

REHvision commented 3 years ago

Describe the bug: In 3.6 beta-3 Kirby does not render HTML which is returned by a page function (model or method) and only displays it as a String when used in info of pages section or info section/field.

HTML directly added in the blueprint (e.g. info: "<span class="subpages">{{ page.children.listed.count }}</span>" gets rendered, but if the function returns HTML (e.g. info: "{{ page.customDetails }}" it does not anymore.

To Reproduce: Steps to reproduce the behavior:

  1. Add a page method which returns an HTML string, e.g.: 
    'subpages' => function () {
$children = $this->children()->count();
return "<span class='subpages'>$children subpages</span>";
},
  2. Call the method in a blueprint, e.g. in the info of a pages section: 
    pages_section:
type: pages
info: "{{ page.subpages }}"
  3. See the HTML being rendered as a string instead of HTML

Expected behavior: I would expect it to work as it did up to Kirby 3.6, or is this change intentional maybe?

Screenshots: Bildschirmfoto von 2021-10-18 15-13-17 Info of line 1 is how it looks in 3.6 and info of line 2 is how it looks with HTML directly in the blueprint and also how it looked prior to 3.6 with the method.

Kirby Version: 3.6 beta 3

Console output:

Plugin is replacing "k-block-type-line" index.js:1:28573
                                        index.js:formatted:1512

Desktop:

afbora commented 3 years ago

@REHvision Thanks for report. There is a breaking change here, you need to use like that {< page.subpages >}

Several blueprint options that use the query syntax were updated to escape the placeholder values against raw HTML output that may lead to XSS attacks. HTML code directly in the query (like This is {{ page.important }}) still works as normal. If placeholders need to return HTML, you can use the new {< site.myMethodWithHtml >} syntax. In this case you need to ensure manually that the returned HTML code is safe. With the {{ }} syntax, Kirby performs the escaping for you.

https://getkirby.com/releases/3.6/breaking-changes#panel

Duplicated with #3809 #3804

REHvision commented 3 years ago

Thanks for replying and sorry for overlooking this in the release notes :see_no_evil: