Symfony/Doctrine:反序列化在行动与模板

谁能告诉我为什么调用反序列化"在操作中可以正常工作,但在模板中会出现偏移错误?

Can anyone tell me why calling "unserialize" works fine in an action but gives an offset error in a template?

基本上可以将数据库文本结果反序列化为操作中的变量并将其传递给模板,在这种情况下它可以正常显示:

It's basically possible to unserialize a database text result into a variable in an action and pass it to template, in which case it displays fine:

$this->clean = unserialize($this->raw);
<?php echo $clean ?>

但如果直接在模板中调用则不会:

But not if called directly in a template:

<?php echo unserialize($raw) ?>

想知道为什么会这样以及是否有一些解决方法.

Would be interested in knowing why this is so and whether there's some workaround.

谢谢.

推荐答案

Symfony 将所有模板变量放入一个 sfOutputEscaperArrayDecorator 类.所以当你编写 unserialize($var) 时,实际上是在尝试对 sfOutputEscaperArrayDecorator 类进行反序列化.

Symfony puts all template variables into a sfOutputEscaperArrayDecorator class. So when you write unserialize($var), you are actually trying to unserialize the sfOutputEscaperArrayDecorator class.

我建议在 settings.yml 中关闭输出转义:

I recommend turning off output escaping in settings.yml:

escaping_strategy:     false

这是 Symfony 中一个愚蠢的、破坏性能的、不必要的功能,需要被扼杀.

It is a stupid, performance-slaughtering, unnecessary feature of Symfony that needs murdered.

更新:

如果您关闭 escaping_strategy,您将需要使用 htmlSpecialCharacters() 手动转义用户的输入(以防止 XSS).

If you turn off escaping_strategy, you will need to manually escape input from the users (to prevent XSS) with htmlSpecialCharacters().

Symfony 类会为您做到这一点,但这意味着它还会转义每一个数字和字符——您已经知道其中 99% 是安全的(ID、日期、您自己的内容).当我关闭自动转义时,我的服务器负载明显下降.

The Symfony class does that for you, but that means it also escapes every single number and character -- 99% of which you already know will be safe (IDs, dates, your own content). When I turned off the automatic escaping, my server load fell significantly.

请记住,如果您将 sfOutputEscaperArrayDecorator 传递给部分,Symfony 双重应用这种自动转义,这意味着 > 将变为 <代码>&amp;gt;

Keep in mind that Symfony double-applies this automatic escaping if you pass a sfOutputEscaperArrayDecorator to a partial, meaning > will become &amp;gt;

相关文章