Improvement of auto-escaping

Amaury commented 1 month ago

This evolution improves the auto-escaping feature.

The escape modifier has no effect when auto-escaping is enabled (when no escape format is given, or when the html format is used), to prevent double-escaping.
The other formats of the escape modifier (htmlall, url, urlpathinfo, quotes, javascript) are processed as we may expect, without double-escaping.
The new force format of the escape modifier allows to force double-escaping if needed.
The new raw modifier temporary disables auto-escaping for the expression it is used on.

This Pull Request contains the source code of this evolution, as well as its documentation and unit tests.

wisskid commented 3 weeks ago

This is looking great, @Amaury !

How do you propose we release this? Do you think this calls for a new major version, i.e. Smarty v6 or a minor (v5.4)?

One might argue this requires a major, because behavior is changing for existing templates that use |escape of some form when html auto-escaping is also enabled. On the other hand: that would very likely be unintended anyway.

Amaury commented 3 weeks ago

About the release, I would say that a minor version should be enough; I don't know if anybody if really using auto-escaping and |escape at the same time. On the other hand, it's true this is a deep change of behaviour… I don't know, I let you choose ^^'

Amaury commented 1 day ago

Thank you! :)

Amaury commented 1 day ago

In the end, do you think you will create a major version or a minor one?

wisskid commented 1 day ago

I'm thinking minor.

smarty-php / smarty

Improvement of auto-escaping #1030