{
    "href": "/post/2005/07/28/savant-240-released/",
    "relId": "2005/07/28/savant-240-released",
    "title": "Savant 2.4.0 Released",
    "author": "pmjones",
    "markup": "html",
    "tags": [
        {
            "href": "/tag/php/",
            "relId": "php",
            "title": "PHP",
            "author": null,
            "created": null,
            "updated": [],
            "markup": "markdown"
        }
    ],
    "created": "2005-07-28 15:48:08 UTC",
    "updated": [
        "2005-07-28 15:48:08 UTC"
    ],
    "html": "<p>FYI:  David Mytton of <a href=\"http://www.olate.co.uk/\">Olate Ltd</a> has written a great <a href=\"http://www.sitepoint.com/blog-post-view.php?id=284448\">introduction to and review of Savant over at SitePoint</a>.  Thanks, David!  :-)</p>\n<p>And now, back to our regularly-scheduled blog entry:</p>\n<p>After a bit of kerfluffle over cross-site scripting attacks, and working to sanitize some template output, I realized it how useful it would be for Savant to help automate escaping of values for output.  After a few days of <a href=\"http://six.pairlist.net/pipermail/savant-talk/2005-July/thread.html\">mailing-list discussion</a> about how such functionality should work, I've released <a href=\"http://phpsavant.com\">Savant 2.4.0</a> with a handful of new methods built-in:</p>\n<ul>\n<li>\n<code>setEscape()</code> and <code>addEscape()</code> to define what callbacks to use when escaping output</li>\n<li>\n<code>getEscape()</code> to retrieve the array of escaping callbacks</li>\n<li>\n<code>$this-&gt;escape()</code> to escape-and-return a value</li>\n<li>\n<code>$this-&gt;_()</code> to escape-and-echo a value</li>\n</ul>\n<p>The default escaping callback is <a href=\"http://php.net/htmlspecialchars\">htmlspecialchars()</a>, but you can add any number of your own.  For example, after instantiating Savant, you can do something like this:</p>\n<pre><code>$savant =&amp; new Savant2();\n$savant-&gt;setEscape(\n    'strip_tags',\n    'htmlspecialchars',\n    array('StaticClass', 'method'),\n    array($objectInstance, $objectMethod)\n);\n</code></pre>\n<p>Each of the parameters is callback suitable for <a href=\"http://php.net/call_user_func\">call_user_func()</a>, and you can use an arbitrary number of parameters.</p>\n<p>These callbacks are applied, in order, whenever you use the <code>$this-&gt;_()</code> or <code>$this-&gt;escape()</code> methods in your Savant templates (which are, of course, just PHP scripts dedicated to presentation logic).  For example, instead of <code>echo htmlspecialchars($this-&gt;value)</code>, you would call <code>$this-&gt;_($this-&gt;value)</code> (and the default htmlspecialchars escaping will be applied).</p>\n<p>In addition, you can override the default escaping.  You may optionally pass an arbitrary number of added parameters to escape() or _(), and these will be treated as callbacks to apply to the value instead of the default escaping callbacks.  For example, <code>$this-&gt;_($this-&gt;value, 'strip_tags', 'my_escape_function', array('StaticClass', 'method'))</code> will override the default escaping with the callbacks listed as the added parameters.</p>\n<p><strong>Update:</strong> The documentation on the Savant site has been updated: all examples using \"echo\" have been changed to \"$this-&gt;_()\", and the escaping methods themselves have also been documented.</p>\n"
}