Update table column affix helpers to support Htmlables#10649
Conversation
Fixes filamentphp#9729 and https://www.answeroverflow.com/m/1154022222118256700 by making so that the `->prefix()` and `->suffix()` helpers support Htmlables like HtmlStrings.
|
I'm not super well versed in PHPStan. Are the test failures my fault? |
danharrin
left a comment
danharrin
left a comment
There was a problem hiding this comment.
The problem with this is that if the prefix/suffix are Htmlable, but the main content isn't, the main content is still open to XSS attacks as if it was
So when you set isHtml, you will also need to htmlencode the state if it is not Htmlable.
Okay, how should we handle this? I think that the main content state should also support Htmlable, since the TextColumn state also supports it. |
|
the main content state is the TextColumn state I was referring to |
The TextColumn state is Htmlable, it's where I got the code for this PR from. For example, here's the workaround I'm currently using to get a HTML suffix: Tables\Columns\TextColumn::make('name')
->formatStateUsing(function (string $state, Project $record): HtmlString {
$suffix = $record->isActive() ? view('components.filament.support.active-project-badge')->render() : '';
return new HtmlString('<span class="flex">'.$state.$suffix.'</span>');
}) |
|
I know, but using an Htmlable prefix/suffix should not also make the main content accept HTML. Its a security issue |
Ah, now I get what you mean. My implementation has a side effect. You're more well versed in how these internals work, what do you think is a better way of doing this? |
|
When you set |
2 participants
Description
Updates the
TableColumn->prefix()and->suffix()helpers supportHtmlableslikeHtmlStrings.Fixes #9729 and https://www.answeroverflow.com/m/1154022222118256700
Code style
composer cscommand has been run.Testing
Documentation