forked from fa/breadcrumb-the-shire
Add architecture test ViewLayerOutputEscapingContractTest that flags raw <?php echo in .phtml files. Legitimate uses (pre-built ARIA attrs from navActive(), hardcoded role values, pre-rendered HTML fragments) must carry an inline // raw-html-ok: reason marker. Annotated all 11 existing raw echo sites with justification markers. Added guard to catalog, enforcement map (automated), CLAUDE.md security section, and never-do-this list. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
19 lines
684 B
PHTML
19 lines
684 B
PHTML
<?php
|
|
$listTitle = trim((string) ($listTitle ?? ''));
|
|
$listTitleActionsHtml = (string) ($listTitleActionsHtml ?? '');
|
|
$listTitleTag = strtolower(trim((string) ($listTitleTag ?? 'h1')));
|
|
$allowedTitleTags = ['h1', 'h2', 'h3', 'h4', 'h5', 'h6'];
|
|
|
|
if (!in_array($listTitleTag, $allowedTitleTags, true)) {
|
|
$listTitleTag = 'h1';
|
|
}
|
|
?>
|
|
<div class="app-list-titlebar">
|
|
<<?php e($listTitleTag); ?>><?php e($listTitle); ?></<?php e($listTitleTag); ?>>
|
|
<?php if (trim($listTitleActionsHtml) !== ''): ?>
|
|
<div class="app-list-titlebar-actions">
|
|
<?php echo $listTitleActionsHtml; // raw-html-ok: pre-built HTML from titlebar action renderer ?>
|
|
</div>
|
|
<?php endif; ?>
|
|
</div>
|