So my app uses quite a lot of partials for things such as the navigation bar, assets, flash messages and more.
For extra safety I'd like to turn on autoescape so that all volt {{ .. }} (PHVOLT_T_ECHO) tags automatically escape input, adding another layer of prevention against XSS issues and more. I'm doing this using setOptions and 'autoescape' => true on the volt engine class.
Turning this on however also auto escapes tags such as {{ partial("partials/navbar") }} which means that the entire navbar turns into plain HTML.
I'm aware that I could use something like <?= $this->partial("partials/navbar") ?> to avoid this, but that kind of ruins the tidyness of everything.
Do you guys have any tips or tricks to overcome this issue?
Perhaps we should add new syntax next to PHVOLT_T_ECHO in the volt compiler, looking like e.g. {! <unsafe string> !}, which passes a boolean to compileEcho function to ignore the escapeHtml line inside that function.