save auto-escaping of generated URLs when possible for performance reasons
This commit is contained in:
parent
1099858678
commit
0721ff8843
@ -35,8 +35,8 @@ class RoutingExtension extends \Twig_Extension
|
|||||||
public function getFunctions()
|
public function getFunctions()
|
||||||
{
|
{
|
||||||
return array(
|
return array(
|
||||||
'url' => new \Twig_Function_Method($this, 'getUrl'),
|
'url' => new \Twig_Function_Method($this, 'getUrl', array('is_safe_callback' => array($this, 'isUrlGenerationSafe'))),
|
||||||
'path' => new \Twig_Function_Method($this, 'getPath'),
|
'path' => new \Twig_Function_Method($this, 'getPath', array('is_safe_callback' => array($this, 'isUrlGenerationSafe'))),
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -50,6 +50,44 @@ class RoutingExtension extends \Twig_Extension
|
|||||||
return $this->generator->generate($name, $parameters, $schemeRelative ? UrlGeneratorInterface::NETWORK_PATH : UrlGeneratorInterface::ABSOLUTE_URL);
|
return $this->generator->generate($name, $parameters, $schemeRelative ? UrlGeneratorInterface::NETWORK_PATH : UrlGeneratorInterface::ABSOLUTE_URL);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determines at compile time whether the generated URL will be safe and thus
|
||||||
|
* saving the unneeded automatic escaping for performance reasons.
|
||||||
|
*
|
||||||
|
* The URL generation process percent encodes non-alphanumeric characters. So there is no risk
|
||||||
|
* that malicious/invalid characters are part of the URL. The only character within an URL that
|
||||||
|
* must be escaped in html is the ampersand ("&") which separates query params. So we cannot mark
|
||||||
|
* the URL generation as always safe, but only when we are sure there won't be multiple query
|
||||||
|
* params. This is the case when there are none or only one constant parameter given.
|
||||||
|
* E.g. we know beforehand this will be safe:
|
||||||
|
* - path('route')
|
||||||
|
* - path('route', {'param': 'value'})
|
||||||
|
* But the following may not:
|
||||||
|
* - path('route', var)
|
||||||
|
* - path('route', {'param': ['val1', 'val2'] }) // a sub-array
|
||||||
|
* - path('route', {'param1': 'value1', 'param2': 'value2'})
|
||||||
|
* If param1 and param2 reference placeholder in the route, it would still be safe. But we don't know.
|
||||||
|
*
|
||||||
|
* @param \Twig_Node $argsNode The arguments of the path/url function
|
||||||
|
*
|
||||||
|
* @return array An array with the contexts the URL is safe
|
||||||
|
*/
|
||||||
|
public function isUrlGenerationSafe(\Twig_Node $argsNode)
|
||||||
|
{
|
||||||
|
// support named arguments
|
||||||
|
$paramsNode = $argsNode->hasNode('parameters') ? $argsNode->getNode('parameters') : (
|
||||||
|
$argsNode->hasNode(1) ? $argsNode->getNode(1) : null
|
||||||
|
);
|
||||||
|
|
||||||
|
if (null === $paramsNode || $paramsNode instanceof \Twig_Node_Expression_Array && count($paramsNode) <= 2 &&
|
||||||
|
(!$paramsNode->hasNode(1) || $paramsNode->getNode(1) instanceof \Twig_Node_Expression_Constant)
|
||||||
|
) {
|
||||||
|
return array('html');
|
||||||
|
}
|
||||||
|
|
||||||
|
return array();
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns the name of the extension.
|
* Returns the name of the extension.
|
||||||
*
|
*
|
||||||
|
Reference in New Issue
Block a user