Symfony/Doctrine: Unserialize in action vs templat

2019-04-17 08:01发布

问题:

Can anyone tell me why calling "unserialize" works fine in an action but gives an offset error in a template?

It's basically possible to unserialize a database text result into a variable in an action and pass it to template, in which case it displays fine:

$this->clean = unserialize($this->raw);
<?php echo $clean ?>

But not if called directly in a template:

<?php echo unserialize($raw) ?>

Would be interested in knowing why this is so and whether there's some workaround.

Thanks.

回答1:

Symfony puts all template variables into a sfOutputEscaperArrayDecorator class. So when you write unserialize($var), you are actually trying to unserialize the sfOutputEscaperArrayDecorator class.

I recommend turning off output escaping in settings.yml:

escaping_strategy:     false

It is a stupid, performance-slaughtering, unnecessary feature of Symfony that needs murdered.

Updated:

If you turn off escaping_strategy, you will need to manually escape input from the users (to prevent XSS) with htmlSpecialCharacters().

The Symfony class does that for you, but that means it also escapes every single number and character -- 99% of which you already know will be safe (IDs, dates, your own content). When I turned off the automatic escaping, my server load fell significantly.

Keep in mind that Symfony double-applies this automatic escaping if you pass a sfOutputEscaperArrayDecorator to a partial, meaning > will become &amp;gt;