Skip to content

Allow Raw HTML Rendering in QtView::setParam() via Additional Flags #269

Description

@armanist

Currently, the QtView::setParam($key, $value) method escapes all parameter values using htmlspecialchars($value, ENT_NOQUOTES, 'UTF-8') before rendering. While this is useful for security and preventing XSS, it restricts legitimate use cases where raw HTML content needs to be rendered directly in the view (e.g., when injecting trusted content like icons, formatted messages, etc.).

Update the QtView::setParam() method to support raw HTML content by introducing three optional boolean parameters to give developers fine-grained control over escaping behavior.

Acceptance Criteria:

  • Backward compatibility is preserved (default behavior is unchanged).
  • When $escape is false, raw HTML is correctly rendered in the browser.
  • Unit tests are added for escaped and raw param rendering.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

Fields

No fields configured for Task.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions