Files
breadcrumb-the-shire/templates/partials/app-flash.phtml
fs 576a0c51cd feat(guards): add GR-SEC-010 — output escaping enforcement in views
Add architecture test ViewLayerOutputEscapingContractTest that flags
raw <?php echo in .phtml files. Legitimate uses (pre-built ARIA attrs
from navActive(), hardcoded role values, pre-rendered HTML fragments)
must carry an inline // raw-html-ok: reason marker.

Annotated all 11 existing raw echo sites with justification markers.
Added guard to catalog, enforcement map (automated), CLAUDE.md security
section, and never-do-this list.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 12:08:25 +02:00

36 lines
1.2 KiB
PHTML

<?php
use MintyPHP\Support\Flash;
use MintyPHP\Http\Request;
use MintyPHP\Session;
$messages = Flash::peek(Request::path()) ?: Flash::peek(Request::pathWithQuery());
if (!$messages) {
return;
}
$returnTarget = Request::pathWithQuery();
$timeouts = [
'success' => 5000,
'info' => 6000,
'warning' => 7000,
'error' => 0,
];
?>
<div class="app-toast-stack" data-app-component="flash-auto-dismiss" aria-live="polite">
<?php foreach ($messages as $message) : ?>
<?php $type = $message['type'] ?? 'info'; ?>
<?php $timeout = $timeouts[$type] ?? 5000; ?>
<?php $isAssertive = $type === 'error' || $type === 'warning'; ?>
<div class="notice" data-variant="<?php e($type); ?>" data-flash-timeout="<?php e($timeout); ?>" role="<?php echo $isAssertive ? 'alert' : 'status'; // raw-html-ok: hardcoded ARIA role values ?>">
<span><?php e(t($message['message'] ?? '')); ?></span>
<form method="post" action="flash/dismiss/<?php e($message['id'] ?? ''); ?>">
<input type="hidden" name="return" value="<?php e($returnTarget); ?>">
<button type="submit" aria-label="<?php e(t('Dismiss')); ?>"><i class="bi bi-x-lg"></i></button>
<?php Session::getCsrfInput(); ?>
</form>
</div>
<?php endforeach; ?>
</div>