...
Warning |
---|
The above example is suspect to cross-site scripting attacks. Whenever you output a variable in a template, you should consider whether that output should be html escaped. The proper way to render the input field above is this:
The I18nWriter will escape any html properly to avoid attacks or page breakage. |
...
<
input
type
=
'hidden'
name
=
"items[2].itemId"
value
=
"BLUE_SHIRT"
/>
<
input
type
=
'hidden'
name
=
"items[2].quantity"
value
=
"1"
/>
<
input
type
=
'hidden'
name
=
"items[2].description"
value
=
"Blue Shirt"
/>
<
input
type
=
'hidden'
name
=
"items[2].amount"
value
=
"9.99"
/>
$foreach.index
property.
Code Block |
---|
#foreach($item in $form.items) #set($itemIndex = $foreach.index) #end |
It's a good practice to always assign the $foreach.index
to a variable at the start of the loop to allow for easy management of nested loops.
Code Block |
---|
#foreach($item in $form.items) #set($itemIndex = $foreach.index) <!-- set up hidden fields so the items object can be recreated on the server side. --> <input type='hidden' name="items[$itemIndex].itemId" value="$i18n.escape($!item.itemId)"/> <input type='hidden' name="items[$itemIndex].quantity" value="$i18n.escape($!item.quantity)"/> #foreach($option in $item.options) #set($optionIndex = $foreach.index) <input type='hidden' name="items[$itemIndex].options[$optionIndex].name" value="$option.name"/> <input type='hidden' name="items[$itemIndex].options[$optionIndex].value" value="$option.value"/> $i18n.escape($option.name) : $i18n.escape($option.value) #end ##foreach- item options #end |
Reconstructing the entire object to aid error handling
When updating a collection of objects, there is usually only a few fields that will actually change. For example, with the auto_order.vm template, the only field in the $form.items array that is updated is the schedule field. However, you should output all of the fields in the object into form elements (most of the time this will be hidden fields) for two reasons:
- When the object is submitted to the server, other fields, such as primary key fields, are needed to assign the updated fields to the right objects.
- There is an error handling layer that processes requests before the engine performs updates. Any errors are sent directly back to the client. By outputting the entire object, including display fields like 'description', the page can re-render fully when errors occur without having to go through the entire page load sequence on the server side.
So, you'll notice unmodifiable fields often stored in hidden fields throughout examples. These are there to aid server side object management and aid with error handling.