New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the possibility to register classes/interface as being safe #3025
Conversation
5b563ef
to
6b06269
Compare
Looks promising! If you want to avoid having quasi singleton semantics in |
@lstrojny that would not work, as the cached compiled template would have to be invalidated when that change, so using the spl object hash would force to always invalidate the cache for each HTTP request. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
btw, changing safe classes does not invalidate the cache AFAICT.
@fabpot maybe |
nvm, this is runtime escaping, not compile-time one. |
Before going further here, I propose to move everything related to the escaping implementation to EscaperExtension. See #3026. One consequence of these changes will be that this feature will only be available as of Twig 2.x (as in Twig 1.x, we cannot be sure that both CoreExtension and EscaperExtension are available). |
Not sure I get that: what’s the relationship of this topic and compiled templates, aren’t all escaping checks runtime only? |
…::getEscaper() in favor of the same methods on EscaperExtension (fabpot) This PR was merged into the 2.x branch. Discussion ---------- Deprecate CoreExtension::setEscaper() and CoreExtension::getEscaper() in favor of the same methods on EscaperExtension This is some preliminary work to ease #3025. Everything related to escaping is now part of the `EscaperExtension` instead of `CoreExtension`. This PR is submitted on 2.x because both extensions are always available in 2.x (which is not the case on 1.x). Commits ------- 59d1d5d deprecated CoreExtension::setEscaper() and CoreExtension::getEscaper() in favor of the same methods on EscaperExtension
2ed0029
to
936f46f
Compare
I think it's ready for another round of reviews. |
…ing safe (fabpot) This PR was squashed before being merged into the 2.x branch (closes #3025). Discussion ---------- Add the possibility to register classes/interface as being safe closes #2548 To avoid a too big performance impact on the escaper, we aggressively cache the safe classes, which means that changing the. configuration at runtime is not possible (and having different ones on 2 Twig instances is not possible either, this is really *globally* configured). Commits ------- fe6503f - b18733b added the possibility to register classes/interfaces as being safe for the escaper
What is the suggested/easiest way to configure this in Symfony? |
closes #2548
To avoid a too big performance impact on the escaper, we aggressively cache the safe classes, which means that changing the. configuration at runtime is not possible (and having different ones on 2 Twig instances is not possible either, this is really globally configured).