SettingsFactory icon indicating copy to clipboard operation
SettingsFactory copied to clipboard

Published 20 hours ago verified publisher icon outflux3

output formatting

Open pine3ree opened this issue 4 years ago • 3 comments

Hello, maybe we should warn that settings field values are not automatically html-escaped as for the page fields with output-formatters

pine3ree avatar Nov 12 '20 20:11 pine3ree

thanks, i'll take a look asap.

outflux3 avatar Nov 12 '20 21:11 outflux3

Sorry for the delay - i can look into this more.

Do you happen to have a scenario that i could test with? I assume you are using a CKEditor field for the settings, or some other field that is storing markup?

I agree that since settings could be used by someone on the front end for markup (though this wasn't the original intention), that the module should either contain in the instructions this information and show how to apply a textformatter to the retrieved setting, or allow the module to have some config for applying a textformatter or sanitizer.

outflux3 avatar Jul 02 '21 13:07 outflux3

Hello @outflux3. In my case I have very few and simple requirements, so I added a limited output-formatting capability. I simply map the setting input field type to an output pseudo-type: text, html, int, float, bool and have this info stored in the db along with the values using the same key (setting-name). The setting object uses this info to return the wanted php type and add html-escaping in case of string (excluding the html pseudo-type in case of a ckeditor input-field, i.e. when the content is expected to be valid html already). I also added a getUnformatted($key) and of($outputFormatting) methods just in case mimicing the Page methods with the same names. kind regards.

pine3ree avatar Jul 02 '21 19:07 pine3ree