We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.
  1. Home
  2. Escaping/Filtering

Flash\Session and setAutoescape false and redirect

Hi,

Just asking myself if it's the right way to go, when using Flash\Session::setAutoescape(false) and redirect after, message is escaped :

$this->flashSession->setAutoescape(false)->warning(
    sprintf("Vous avez déjà un compte. <br><a href='%s'>Réinitialiser mon mot de passe</a>",
        $this->di->getUrl()->get('session/reinitialiser')
    )
);

$this->response->redirect('inscription');

I think it's normal because by default, autoescape is set to true, so when redirect happen, autoescape take true again.

So I explicit set to false by default when defining it : 

$container->set('flashSession', function () {
    $f = (new FlashSession())
    ->setImplicitFlush(true)
    ->setAutoescape(false)
    ->setCssClasses([
        'error'   => 'message is-danger',
        'success' => 'message is-success',
        'notice'  => 'message is-info',
        'warning' => 'message is-warning',
    ]);
    return $f;
});

Maybe bad practice for security or something else ?

Regards,



125.7k

Disabling autoescape means you'll need to remember to escape the messages when outputing them. That may incur a bit of technical debt. On the other hand, escaping will make your HTML tags appear as text.

If your flashed messages are only coming from the system and will never contain user entered values, disabling auto escaping should be fine.



978

Thanks @Dylan.

Maybe it can be an improvement for Flash\Session to remember escaping or not per message ?



125.7k

In your first example, where you're setting autoEscape, you're doing it for the whole application for that page load. You wouldn't need to turn off autoEscaping each time you set a message.

If you want the ability to programmatically turn on and off auto escaping, and have the application remember that between page loads, it should be pretty easy to write a custom class that extends Flash\Session with a new rememberAutoEscape() method, and an updated constructor method that calls setAutoEscape()