Files
breadcrumb-the-shire/templates/partials/app-list-titlebar.phtml
fs 576a0c51cd feat(guards): add GR-SEC-010 — output escaping enforcement in views
Add architecture test ViewLayerOutputEscapingContractTest that flags
raw <?php echo in .phtml files. Legitimate uses (pre-built ARIA attrs
from navActive(), hardcoded role values, pre-rendered HTML fragments)
must carry an inline // raw-html-ok: reason marker.

Annotated all 11 existing raw echo sites with justification markers.
Added guard to catalog, enforcement map (automated), CLAUDE.md security
section, and never-do-this list.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 12:08:25 +02:00

19 lines
684 B
PHTML

<?php
$listTitle = trim((string) ($listTitle ?? ''));
$listTitleActionsHtml = (string) ($listTitleActionsHtml ?? '');
$listTitleTag = strtolower(trim((string) ($listTitleTag ?? 'h1')));
$allowedTitleTags = ['h1', 'h2', 'h3', 'h4', 'h5', 'h6'];
if (!in_array($listTitleTag, $allowedTitleTags, true)) {
$listTitleTag = 'h1';
}
?>
<div class="app-list-titlebar">
<<?php e($listTitleTag); ?>><?php e($listTitle); ?></<?php e($listTitleTag); ?>>
<?php if (trim($listTitleActionsHtml) !== ''): ?>
<div class="app-list-titlebar-actions">
<?php echo $listTitleActionsHtml; // raw-html-ok: pre-built HTML from titlebar action renderer ?>
</div>
<?php endif; ?>
</div>