typisttech/wp-kses-view

Safely rendering for WordPress, the OOP way

0.5.0 2019-04-23 12:55 UTC

This package is auto-updated.

Last update: 2024-11-24 01:47:56 UTC


README

Latest Stable Version Total Downloads Build Status License Donate via PayPal Hire Typist Tech

Safely rendering for WordPress, the OOP way.

Install

Installation should be done via composer, details of how to install composer can be found at https://getcomposer.org/.

$ composer require typisttech/wp-kses-view

You should put all WP Kses View classes under your own namespace to avoid class name conflicts.

Usage

Static Example

<?php
// This is `template.php`.

echo '<h1>Hello World!</h1>';
echo '<p>Using PHP echo</p>';

?>

<p>Or, it can be plain HTML</p>
<script>alert('XSS hacking!');</script>
use TypistTech\WPKsesView\View;

$template = '/path/to/template.php';
$view = new Factory::build($template);

$view->render();
// This echos:
// <h1>Hello World!</h1>
// <p>Using PHP echo</p>
// <p>Or, it can be plain HTML</p>
// alert('XSS hacking!');

Note that <script> has been sanitized.

Render with Context Example

// This is `template.php`.

printf(
    '%1$s has %2$d dragons.',
    $context->name,
    $context->dragons
);
use TypistTech\WPKsesView\View;

$template = '/path/to/template.php';
$context = (object) [
    'name' => 'Daenerys Targaryen',
    'dragons' => 3,
];
$view = new Factory::build($template);

$view->render($context);
// This echos:
// Daenerys Targaryen has 3 dragons.

View

__construct(string $template, array $allowedHtml)

View constructor.

  • @param string $template Filename of the template to render.
  • @param array $allowedHtml List of allowed HTML elements.

$allowedHtml will later be passed to wp_kses.

wp_kses_allowed_html('post') is a good start if you not sure which HTML tags to use.

$template = '/path/to/my/template.php';

$view = new View(
    $template,
    wp_kses_allowed_html('post')
);

render($context = null)

Echo the view safely with optional context object.

  • @param mixed $context Optional. Context object for which to render the view.
$view->render();

$view->render($someObject);

toHtml($context = null): string

Convert the view to safe HTML.

  • @param mixed $context Optional. Context object for which to render the view.
$html = $view->toHtml();

$htmlWithContext = $view->toHtml($someObject);

If you pass in a context object, you can reference it in your template as $context. Think $context as the M in MVC pattern.

Template

A template can be anything, not limited to .php files. Common use cases are:

  • .php
  • .html
  • .js

If you pass in a context object, you can reference it in your template as $context.

Think templates are .erb files under app/view directory in a Rails app.

Helpers

This package provides Factory, ViewAwareTrait and NullView to reduce boilerplate code for common use cases. Check their well-documented source code and their tests to learn more.

Frequently Asked Questions

Why some HTML tags are stripped out?

This is the heart of this package, removing dangerous HTML tags during rendering.

To allow a HTML tag:

  • Add the tag when instantiating a view object.

Check wp_kses's document to learn more.

When in doubt, wp_kses_allowed_html('post') is a good start.

Is this a plugin?

No, this is a package that should be part of your plugin.

What to do when wp.org plugin team tell me to clean up the vendor folder?

Re-install packages via the following command. This package exports only necessary files to dist.

$ composer install --no-dev --prefer-dist --optimize-autoloader

Can two different plugins use this package at the same time?

Yes, if put all WP Kses View classes under your own namespace to avoid class name conflicts.

Do you have real life examples that use this package?

Here you go:

Add your own plugin here

It looks awesome. Where can I find some more goodies like this?

Support

Love wp-kses-view? Help me maintain it, a donation here can help with it.

Why don't you hire me?

Ready to take freelance WordPress jobs. Contact me via the contact form here or, via email info@typist.tech

Want to help in other way? Want to be a sponsor?

Contact: Tang Rufus

Developing

To setup a developer workable version you should run these commands:

$ composer create-project --keep-vcs --no-install typisttech/wp-kses-view:dev-master
$ cd wp-kses-view
$ composer install

Running the Tests

TODO: Re-add tests.

See: https://github.com/TypistTech/wp-kses-view/commit/45f95d3f1f062c51ddbd8a5da7d6e8317fccff97

Feedback

Please provide feedback! We want to make this package useful in as many projects as possible. Please submit an issue and point out what you do and don't like, or fork the project and make suggestions. No issue is too small.

Change log

Please see CHANGELOG for more information on what has changed recently.

Security

If you discover any security related issues, please email wp-kses-view@typist.tech instead of using the issue tracker.

Contributing

Please see CONTRIBUTING and CODE_OF_CONDUCT for details.

Credits

WP Kses View is a Typist Tech project and maintained by Tang Rufus, freelance developer for hire.

Full list of contributors can be found here.

License

WP Kses View is licensed under the GPLv2 (or later) from the Free Software Foundation. Please see License File for more information.