Manual

SDK

 
<< SQL  XHTML >> 

SDK documents
 

Start here

  Subversion

The templates are a mix of XHTML, or other output formats, and some eZ template blocks and variables. This document defines the structure and syntax of the eZ template related parts. The XHTML standard defines how you should format XHTML/HTML.

Template variables

Template variables should be named in lower case. Each word in the variable should be separated by _. Attributes should be lowercase and named in the same manner as template variables. Template variables that work as lists should be named as such, since this makes them more visible, i.e. workflow_list not workflows. Spotting workflow from workflows can be hard.

Namespaces

Namespaces should be named with capital first letters.

Security in templates

All templates shipped with Exponential are designed with security in mind, this means that have proper output washing to avoid XSS exploits. However for those of you who create new templates it's important that steps are taken to secure the templates.

Output washing

Before displaying stored data in an HTML page you must make sure that it's presentable, especially to avoid cross-site scripting (XSS). This might mean escaping the data or converting it to a different form, however this washing must not be done until the data is just about to be shown to the user. This means that the code for escaping must not be placed in the class or function which returns the input data but rather in the template code, this because it's not known what the client code wants to do with the data.

Example using wash operator

setVariable( "obj", $obj );
$tpl->display( "view.tpl" );

// view.tpl
{$obj.title|wash}
{$obj.description|wash}
{$obj.price}
{$obj.email|wash(email)}
'
) );?>

It is also important to make sure that all generated urls is washed properly, for instance it is possible to input special characters in the url and have alter the generated HTML code in such a way that it will run javascripts.

In Exponential escaping urls are done with the ezurl operator which will make sure the resulting url is properly escaped as well as have correct form for non-virtual hosts.

Example using ezurl operator


'
) );?>

Exponential