Consider encoding everything by default

[samdark]

See yiisoft/yii2#18404. In Yii 3 we can change it safely.

[dicrtarasov]

Good idea!
But also we need an option to disable encoding in some situations where content is generated HTML, for example labels with markup.

[samdark]

Yes. That is true.

[samdark]

Method	Encode by default	Can change	Pattern
tag	❌	❌	Simple tag content
beginTag	❌	❌	Simple tag content
endTag	❌	❌	Simple tag content
style	❌	❌	Simple tag content
script	❌	❌	Simple tag content
cssFile	✔️	❌	Attribute
jsFile	✔️	❌	Attribute
a	❌	❌	Simple tag content
mailto	❌	❌	Simple tag content
img	✔️	❌	Attribute
label	❌	❌	Simple tag content
button	❌	❌	Simple tag content
submitButton	❌	❌	Simple tag content
resetButton	❌	❌	Simple tag content
input	✔️	❌	Attribute
buttonInput	✔️	❌	Attribute
submitInput	✔️	❌	Attribute
resetInput	✔️	❌	Attribute
textInput	✔️	❌	Attribute
hiddenInput	✔️	❌	Attribute
passwordInput	✔️	❌	Attribute
fileInput	✔️	❌	Attribute
textarea	✔️	❌	That's an exception because textarea can't accept tags anyway
radio	✔️	❌	Attribute
checkbox	✔️	❌	Attribute
dropDownList	✔️	✔️	List
listBox	✔️	✔️	List
checkboxList	✔️	✔️	List
radioList	✔️	✔️	List
div	❌	❌	Simple tag content
span	❌	❌	Simple tag content
p	❌	❌	Simple tag content
ul	✔️	✔️	List
ol	✔️	✔️	List
renderSelectOptions	✔️	✔️	List
renderTagAttributes	✔️	❌	Attribute

[samdark]

General pattern now:

1. For simple tags don't encode content. No way to enable it, use Html::encode().
2. Always encode attributes. No way to disable it.
3. Encode list items by default, allow disabling it.

[samdark]

It is quite logical as it is and results in not that verbose syntax in templates. If we'll change it we'll have to turn encoding off for majority of simple tags all the time:

Html::p('This was a <strong>strong</strong> feeling.', ['encode' => false]);

That will likely result in:

1. More secure templates output by default.
2. People using HTML directly more.

Both are alright.

[dicrtarasov]

"no way to disable/enable it" sounds not good. Especially to disable, because when it disabled by default, we can use Html::encode. Why not adding boolean "encode" option, which alter default behavior?

Html::p('Some text', [
  'encode' => false
]);

Then use:

$encode = ArrayHelper::remove($options, 'encode', true);

Please, do not force encoding with no way to disable it.

[Mister-42]

If you give a good use case to not encode attributes, I am sure it will be changed.

[dicrtarasov]

Sure, you can imagine good case, to not make things imposdible to disable.

[Mister-42]

Nope, never came across one.

[samdark]

@dicrtarasov of course, we want it to be configurable i.e. you will be able to disable encoding.

[samdark]

@Mister-42 the use-case to disable encoding is when you need some HTML. For example,

Html::p('Hello, <strong>' . Html::encode($username). '</strong>!', [
  'encode' => false
]);

[Mister-42]

@Mister-42 the use-case to disable encoding is when you need some HTML. For example,

Html::p('Hello, <strong>' . Html::encode($username). '</strong>!', [
  'encode' => false
]);

No dispute there, but as you were specific about 'always encode attributes' that is what I replied on. Your example also does not contain attributes and is as such not a use case for my question.

[samdark]

Ah, right. For attribute values I have no idea why disabling encoding might make sense. @dicrtarasov do you have any?

[dicrtarasov]

Ah, right. For attribute values I have no idea why disabling encoding might make sense. @dicrtarasov do you have any?

I completely agree.
I wrote about tag contents