Alexander Makarov
12 years ago
4 changed files with 106 additions and 1 deletions
@ -0,0 +1,95 @@
|
||||
View |
||||
==== |
||||
|
||||
View is an important part of MVC and is reponsible for how data is presented to the end user. |
||||
|
||||
Basics |
||||
------ |
||||
|
||||
Yii uses PHP in view templates by default so in a web application a view typically contains some HTML, `echo`, `foreach` |
||||
and such basic constructs. It may also contain widget calls. Using complex code in views is considered a bad practice. |
||||
Such code should be moved to controller or widgets. |
||||
|
||||
View is typically called from controller action like the following: |
||||
|
||||
```php |
||||
public function actionIndex() |
||||
{ |
||||
return $this->render('index', array( |
||||
'username' => 'samdark', |
||||
)); |
||||
} |
||||
``` |
||||
|
||||
First argument is the view name. In context of the controller Yii will search for its views in `views/site/` where `site` |
||||
is controller ID. For details on how view name is resolved please refer to [yii\base\Controller::render] method. |
||||
Second argument is data array that contains key-value pairs. Value is available in the view as a variable named the same |
||||
as the corresponding key. |
||||
|
||||
So the view for the action above should be in `views/site/index.php` and can be something like: |
||||
|
||||
```php |
||||
<p>Hello, <?php echo $username?>!</p> |
||||
``` |
||||
|
||||
Intead of just scalar values you can pass anything else such as arrays or objects. |
||||
|
||||
Layout |
||||
------ |
||||
|
||||
Partials |
||||
-------- |
||||
|
||||
|
||||
Widgets |
||||
------- |
||||
|
||||
Security |
||||
-------- |
||||
|
||||
One of the main security principles is to always escape output. If violated it leads to script execution and, |
||||
most probably, to cross-site scripting known as XSS leading to leaking of admin passwords, making a user to automatically |
||||
perform actions etc. |
||||
|
||||
Yii provides a good toolset in order help you escaping your output. The very basic thing to escape is a text without any |
||||
markup. You can deal with it like the following: |
||||
|
||||
```php |
||||
<?php |
||||
use yii\helpers\Html; |
||||
?> |
||||
|
||||
<div class="username"> |
||||
<?php echo Html::encode($user->name); ?> |
||||
</div> |
||||
``` |
||||
|
||||
When you want to render HTML it becomes complex so we're delegating the task to excellent |
||||
[HTMLPurifier](http://htmlpurifier.org/) library. In order to use it you need to modify your `composer.json` first by |
||||
adding the following to `require`: |
||||
|
||||
```javascript |
||||
"ezyang/htmlpurifier": "v4.5.0" |
||||
``` |
||||
|
||||
After it's done run `php composer.phar install` and wait till package is downloaded. Now everything is prepared to use |
||||
Yii's HtmlPurifier helper: |
||||
|
||||
```php |
||||
<?php |
||||
use yii\helpers\HtmlPurifier; |
||||
?> |
||||
|
||||
<div class="post"> |
||||
<?php echo HtmlPurifier::process($post->text); ?> |
||||
</div> |
||||
``` |
||||
|
||||
Note that besides HTMLPurifier does excellent job making output safe it's not very fast so consider |
||||
[caching result](caching.md). |
||||
|
||||
Alternative template languages |
||||
------------------------------ |
||||
|
||||
There are offlicial extensions for [Smarty](http://www.smarty.net/) and [Twig](http://twig.sensiolabs.org/). In order |
||||
to learn more refer to [Using template engines](template.md) section of the guide. |
Loading…
Reference in new issue