outflux3
commented
3 years ago thanks, i'll take a look asap.
Open pine3ree opened 3 years ago
outflux3
commented
3 years ago thanks, i'll take a look asap.
outflux3
commented
3 years ago Sorry for the delay - i can look into this more.
Do you happen to have a scenario that i could test with? I assume you are using a CKEditor field for the settings, or some other field that is storing markup?
I agree that since settings could be used by someone on the front end for markup (though this wasn't the original intention), that the module should either contain in the instructions this information and show how to apply a textformatter to the retrieved setting, or allow the module to have some config for applying a textformatter or sanitizer.
pine3ree
commented
3 years ago Hello @outflux3.
In my case I have very few and simple requirements, so I added a limited output-formatting capability.
I simply map the setting input field type to an output pseudo-type: text, html, int, float, bool and have this info stored in the db along with the values using the same key (setting-name). The setting object uses this info to return the wanted php type and add html-escaping in case of string (excluding the html pseudo-type in case of a ckeditor input-field, i.e. when the content is expected to be valid html already). I also added a getUnformatted($key) and of($outputFormatting) methods just in case mimicing the Page methods with the same names.
kind regards.
Hello, maybe we should warn that settings field values are not automatically html-escaped as for the page fields with output-formatters