As jacine with angelic patience has explained her concerns over the last few weeks and suffered through my blundering over trying to solve them, I arrived fairly prepared for the theme sprint and we have agreed on a lot more than we disagreed. Actually we didn't need to debate over anything at all! :)
- On the caller side, we are going to go with something like
$list1 = new Template('list', array('items' => array('listitem1', 'listitem2')));
Of course, this can be made recursive:
$list2 = new Template('list', array('items' => array('listitem1', $list1)));
Templateclass will have a
__toString()method and that's how the recursive printing will work: automatically. This data structure will contain no caller-added HTML (ie do not add HTML to your modules) but it might contain user input HTML (for eg from the database). The templating engine needs to be responsible for making it secure.
- Speaking of security, on the templating end, we have agreed on that the templating provides a default escaping which is adequate for HTML text and passable for HTML attributes (although you probably want to strip tags instead of escaping tags for attributes). Text which should be run over
check_markupwill be carried in another class which has a __toString method which does the filtering automatically upon printing. So templates will never be required to specify escaping in order to handle security. In some cases, templates will want to print a variable that contains HTML in an attribute value or <title> tag, and therefore strip tags from it, and they'll have an easy way to do so, but not doing so will simply result in some markup appearing where it shouldn't, not in a security vulnerability. Currently we do escaping in preprocess and we do it poorly as we try to have one variable which fits. This is somewhat impossible as you might want to print the same thing inside a <h1> check_markup'd, inside a <title> strip_tag'd.
- Mostly because of security, we do not want templates to contain raw PHP. Basically the moment JohnAlbin stood up in Denver and said "We hand themers a loaded gun and tell them to hammer in a nail with it. Oh, and be careful" phptemplate was finally dead. Finally because the security team was thinking for many year on how to make PHPtemplate secure...
- Now, among the non-PHP solutions we really like Twig. It's extensible, security-focused, fast and it's what Symfony uses and we seem to want to woo Symfony developers.
- Coding commenced at http://drupal.org/sandbox/chx/1541306