Once you call
requested view script and executes it "inside" the scope of the
instance. Therefore, in your view scripts, references to
$this actually point
PhpRenderer instance itself.
- Explicitly, by retrieving them from the
Variablescontainer composed in the
- As instance properties of the
$this->varname. (In this situation, instance property access is proxying to the composed
- As local PHP variables:
PhpRendererextracts the members of the
We generally recommend using the second notation, as it's less verbose than the first, but differentiates between variables in the view script scope and those assigned to the renderer from elsewhere.
By way of reminder, here is the example view script from the
<?php if ($this->books): ?> <!-- A table of some books. --> <table> <tr> <th>Author</th> <th>Title</th> </tr> <?php foreach ($this->books as $key => $val): ?> <tr> <td><?= $this->escapeHtml($val['author']) ?></td> <td><?= $this->escapeHtml($val['title']) ?></td> </tr> <?php endforeach; ?> </table> <?php else: ?> <p>There are no books to display.</p> <?php endif;?>
One of the most important tasks to perform in a view script is to make sure that output is escaped properly; among other things, this helps to avoid cross-site scripting attacks. Unless you are using a function, method, or helper that does escaping on its own, you should always escape variables when you output them and pay careful attention to applying the correct escaping strategy to each HTML context you use.
PhpRenderer includes a selection of helpers you can use for this purpose:
Matching the correct helper (or combination of helpers) to the context into
which you are injecting untrusted variables will ensure that you are protected
against Cross-Site Scripting (XSS) vulnerabilities.