Currently, the QtView::setParam($key, $value) method escapes all parameter values using htmlspecialchars($value, ENT_NOQUOTES, 'UTF-8') before rendering. While this is useful for security and preventing XSS, it restricts legitimate use cases where raw HTML content needs to be rendered directly in the view (e.g., when injecting trusted content like icons, formatted messages, etc.).
Update the QtView::setParam() method to support raw HTML content by introducing three optional boolean parameters to give developers fine-grained control over escaping behavior.
Acceptance Criteria:
- Backward compatibility is preserved (default behavior is unchanged).
- When $escape is false, raw HTML is correctly rendered in the browser.
- Unit tests are added for escaped and raw param rendering.
Currently, the
QtView::setParam($key, $value)method escapes all parameter values usinghtmlspecialchars($value, ENT_NOQUOTES, 'UTF-8')before rendering. While this is useful for security and preventing XSS, it restricts legitimate use cases where raw HTML content needs to be rendered directly in the view (e.g., when injecting trusted content like icons, formatted messages, etc.).Update the
QtView::setParam()method to support raw HTML content by introducing three optional boolean parameters to give developers fine-grained control over escaping behavior.Acceptance Criteria: