We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.
  1. Home
  2. General

Flash Output with autoEscape enabled by Default. How to disabled?

In my application I have a message ouput whit some html, in phalcon 2.0.x work fine and the Div Tag show messages and the fancy html was taket to show H2, A and other HTML tags.

Now with phalcon 3.0.0 the autoEscape option is enabled by default to the flash.output() and all code is showed like text in this way:

<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button> <h4><i class="icon fa fa-ban"></i> Caution </h4>You do not have permission to access this area.

when should present a text like this:

Caution
You do not have permission to access this area.

Into the new version announcement say:

• Added ability to autoescape Flash messages #11448

$flash = new Phalcon\Flash\Session;
$flash->setEscaperService(new Phalcon\Escaper);

$flash->success("<script>alert('This will execute as JavaScript!')</script>");
echo $flash->output();
// <div class="successMessage"><script>alert('This will execute as JavaScript!')</script></div>

I try to set an autoescape config in my view near to the flash.output() code

{% autoescape false %}
            {{ flash.output() }}
{% endautoescape %}

But is not working, the flash.output() show the code escaped. how i can send other HTML tags to a flash message whit no autoescape in phalcon 3.x?

If we see the phalcon/flash.zep the code show that autoescape is validated, but how can we set this value in my phalcon php code to chage the true value to false https://github.com/phalcon/cphalcon/blob/master/phalcon/flash.zep#L263

Any idea?



1.4k

You can try

$di->set('flash', function(){
    $flash = new Flash(array(
        'error' => 'alert alert-error',
        'warning' => 'alert alert-warning',
        'success' => 'alert alert-success',
        'notice' => 'alert alert-notice',
    ));

    $flash->setAutoescape(false); // Here's how to change autoescape

    return $flash;
});


4.2k
in reply to Jimmy Chandra

Hi Jimmy Chandra,

This code works great, the flash output show no spaced text.

Thank you by share.

You can try

$di->set('flash', function(){
  $flash = new Flash(array(
      'error' => 'alert alert-error',
      'warning' => 'alert alert-warning',
      'success' => 'alert alert-success',
      'notice' => 'alert alert-notice',
  ));

   $flash->setAutoescape(false); // Here's how to change autoescape

   return $flash;
});


4.2k

I foud anohter solution to the autoscape flash.output() behavour and following this old post.

With some code of zcms of the flash code found some way to personalize flash messages.

{% set _messageFlashSession = flashSession.getMessages() %}
{% if _messageFlashSession|length >0 %}
    <!-- Flash session -->
    {% set _classExtra = [ "warning" : "alert-warning", "notice" : "alert-warning", "success" : "alert-success", "error" : "alert-danger" ] %}
    <div style="width: 70%; margin-top: 7px;">
        {% for key, item in _messageFlashSession %}
            {% for childItem in item %}
                <div class="alert {{ _classExtra[key] }}">
                    <button data-dismiss="alert" class="close">×</button>
                    {{ childItem }}
                </div>
            {% endfor %}
        {% endfor %}
    </div>
    <!-- End Flash session -->    
{% endif %}

Into the message you can send some HTML code to view, use the correct icon and one more descriptive "title" not just error, success, info, or warning. Some examples here:

$this->flash->error('<h4><i class="icon fa fa-ban"></i> Caution </h4>You do not have permission to access this area.');

or use some word related to the executed action like this

$this->flash->success("<h4><i class='icon fa fa-check'></i> Done!</h4> Account data has been saved successfully.");

This code show flash messages like this https://imgur.com/a/b44so