Versions Compared

Old Version 8

changes.mady.by.user Perry Tew

Saved on

compared with

New Version 9

changes.mady.by.user Perry Tew

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

The above example is suspect to cross-site scripting attacks. Whenever you output a variable in a template, you should consider whether that output should be html escaped.

The proper way to render the input field above is this:

<input type='text' name='address1' value='$i18n.escape($!form.address1)' />   <!-- this is safe. -->

The I18nWriter will escape any html properly to avoid attacks or page breakage.

...

<input type='hidden' name="items[2].itemId" value="BLUE_SHIRT"/>

<input type='hidden' name="items[2].quantity" value="1"/>
<input type='hidden' name="items[2].description" value="Blue Shirt"/>
<input type='hidden' name="items[2].amount" value="9.99"/>
Any time the ordinal positions are needed, you will always be iterating an array within the template.  Apache Velocity provides a very simply means of tracking the position within the array with the $foreach.index property. 

 

Code Block
#foreach($item in $form.items)      
   #set($itemIndex = $foreach.index)
#end

It's a good practice to always assign the $foreach.index to a variable at the start of the loop to allow for easy management of nested loops.  

Code Block
#foreach($item in $form.items)      
   #set($itemIndex = $foreach.index)
   <!-- set up hidden fields so the items object can be recreated on the server side. -->
   <input type='hidden' name="items[$itemIndex].itemId" value="$i18n.escape($!item.itemId)"/>
   <input type='hidden' name="items[$itemIndex].quantity" value="$i18n.escape($!item.quantity)"/>
              
   #foreach($option in $item.options)
      #set($optionIndex = $foreach.index)
      <input type='hidden' name="items[$itemIndex].options[$optionIndex].name" value="$option.name"/>
      <input type='hidden' name="items[$itemIndex].options[$optionIndex].value" value="$option.value"/>              
      $i18n.escape($option.name) : $i18n.escape($option.value)
   #end ##foreach- item options           
#end

 

Reconstructing the entire object to aid error handling

When updating a collection of objects, there is usually only a few fields that will actually change.  For example, with the auto_order.vm template, the only field in the $form.items array that is updated is the schedule field.   However, you should output all of the fields in the object into form elements (most of the time this will be hidden fields) for two reasons:

  1. When the object is submitted to the server, other fields, such as primary key fields, are needed to assign the updated fields to the right objects.
  2. There is an error handling layer that processes requests before the engine performs updates.  Any errors are sent directly back to the client.  By outputting the entire object, including display fields like 'description', the page can re-render fully when errors occur without having to go through the entire page load sequence on the server side.  

So, you'll notice unmodifiable fields often stored in hidden fields throughout examples.  These are there to aid server side object management and aid with error handling.