I am making the assumption that you are generating html. You are aware that browsers treats certain characters (<,>,etc) as special and processes them as html? If your content in $row contains any of these characters then your page is basically corrupted. PHP provides a function called PHP: htmlspecialchars - Manual which encodes (often called escaping) these special characters. As a general rule, all content generated should be passed through this function.
And in my own twig example, the problem does not exist:
{% for row in rows %}
<li>{{row}}</li>
{% endfor %}
It’s also interesting to note that twig generated code does indeed use echo statements and avoids switching in and out of the php processor. Possibly for performance, possible because it was easier to generate. Here is a random example:
I’m quite aware of the function and it’s various cohorts like htmlentitles…
Funny, my generated data often has HTML in it – or is already escaped when sent to the database; as such htmlspecialchars is more likely to screw it up than it is to help anything. That’s an assumption about the data we aren’t qualified to make without knowing what the data IS. If you entity what needs to be entities or typecast what should be typecast when saving to the database (a low-access point) it means when you output it (a high-access point) it runs faster; Coding 101 – optimize OUTSIDE the loop, and do all your sanitization/cleaning BEFORE sending data to the database.
Again, after 30 years of writing code, I really do wonder if you kids are taught the basics anymore.
Also, since htmlspecialchars uses ENTITIES, it is incorrect to call it “escaping” as no escape sequences (#27 / 1Bh) are involved. (this is also true of using slashes, they’re not escape sequences!)
I kind of assume that if said characters are in my foreach, it’s because I want them output as is – which is why I handle that LONG before it ever gets shoved into a database.
But then, I do use ckeditor on the back-end a lot. (though I’m not happy with how the new version took it from under 100k to over 500k with no real usability improvements). Could explain why one person who was trying to integrate one of my custom CMS with one of those garbage templating systems was having so many headaches – the code it was outputting was total gibberish with everything turned to entities when it shouldn’t have been.
That was like a year and a half ago though – they finally went “screw it” and just wrote the bloody PHP.
Hey look, stupid use of double-quotes, which it then appears to NOT use the functionality of and instead breaks it into multiple echo statements to do the job of ONE.
Also laughing at the DIV around the form for christmas only knows why, lack of a fieldset, lack of labels, TH+colspan doing LEGEND’s job… though I imagine the garbage “semantics and accessible forms, what’s that?” markup has little to do with TWIG itself, and more to do with what was fed to it.
All that data processing in the output is shamefully bad too – again stuff that should be handled long before the skin ever sees it.
Oh, BTW, you know that every SGML, HTML and XML parser on the planet ignores the reserved character list inside string declarations, right? As such escaping values inside double quotes on form attributes is a waste of code.
(It’s actually why the HTML/XHTML validators *****ing about ampersands inside href’s is actually an error! The open quote on the attribute means there should be no entities inside it requiring an ampersand prefix!)
Again, after 30 years of writing code, I really do wonder if you kids are taught the basics anymore.
I got a real chuckle out of this and took a trip down memory lane. High School, 1973, we got a couple of those mechanical ascii terminals complete with paper tape readers for program storage. We could dial in to the district computers and run BASIC programs.
In another thread you mentioned programmers being required to learn assembly. Real programmers scoff at keyboards and enter their code directly in to core using switches and reading the output on blinking lights. Which I did in college. And I have not so fond memories or dropping the punch cards for a major project in the snow right before a due date. But I did rather enjoy sitting there quietly sipping beer as my batch jobs made their way through the system.
So 2011 - 1973 = 38 years. Got you beat there. Most of those years were spent doing professional development. Which of course means zip.
Oh, BTW, you know that every SGML, HTML and XML parser on the planet ignores the reserved character list inside string declarations, right? As such escaping values inside double quotes on form attributes is a waste of code.
You do understand that validaters parse HTML? So your statement is just plain wrong.
I do find it rather difficult to understand the mindset of a developer who would run the risk of generating invalid output when a simple tool is available to prevent it.
As far as your critique of the random sample, I posted it to show how the html was generated and not so much about the html itself.
There is an interesting opportunity here. You seem to feel that using double quotes instead of single quotes is bad. And that multiple echos instead of one echo with commas is also bad. It would be fun to change the twig generator to follow your standards and then see if it actually made any difference at all in real applications.
