The templates are a mix of XHTML, or other output formats, and some eZ template blocks and variables. This document defines the structure and syntax of the eZ template related parts. The XHTML standard defines how you should format XHTML/HTML.

Template variables

Template variables should be named in lower case. Each word in the variable should be separated by _. Attributes should be lowercase and named in the same manner as template variables. Template variables that work as lists should be named as such, since this makes them more visible, i.e. workflow_list not workflows. Spotting workflow from workflows can be hard.

Namespaces

Namespaces should be named with capital first letters. Use the syntax for current name space.

{section name=Child loop=$children}

       <h1>{$:item.name}</h1>

{/section}

Comments

Start every template with a comment.

{*

 Full view template for article.

 Description Foo bar

*}

Indenting

Use space after ( and before ). Use space after ,

{fetch=( content, list, hash( parent_node_id, $node.node_id ) )}

but not when there is nothing between ( and ) e.g: true()

Code inbetween {let} should not be indented.

{let page_limit=15}

<h1>do not indent here</h1>

{/let}

Multiline {let} should be indented on the same level:

{let varA=42

    varB=52

    varC='test'}

{/let}

Code in {section} should always be indented

{section name=Bla loop=$blabla}

   <tr>

       <td>

           <h1>$:item.name</h1>

           <h2>$:item.name</h3>

       </td>

   </tr>

{/section}

Code in table should not be indented.

<table>

<tr>

   <td>

   </td>

</tr>

</table>

Code in tr should be indented.

<table>

<tr>

   <td>

   </td>

</tr>

</table>

Code in td and div should be indented.

<table>

<tr>

   <td>

       <p>

           All work and no sleep makes ole a dull boy

           All work and no sleep makes ole a dull boy

       </p>

       <div class="example">

           All work and no sleep makes ole a dull boy

       </div>

   </td>

</tr>

</table>

Code in {switch} should not be indented, but in {case} it should.

{switch match=$item_next}

{case match=1}

   <h1>Match!</h1>

{/case}

{/switch}

Code in {delimiter} should be indented

{delimiter}

   /

{/delimiter}

Security in templates

All templates shipped with eZ publish are designed with security in mind, this means that have proper output washing to avoid XSS exploits. However for those of you who create new templates it's important that steps are taken to secure the templates.

Output washing

Before displaying stored data in an HTML page you must make sure that it's presentable, especially to avoid cross-site scripting (XSS). This might mean escaping the data or converting it to a different form, however this washing must not be done until the data is just about to be shown to the user. This means that the code for escaping must not be placed in the class or function which returns the input data but rather in the template code, this because it's not known what the client code wants to do with the data.

Example using wash operator

display( "view.tpl" );

 

// view.tpl

{$obj.title|wash}

{$obj.description|wash}

{$obj.price}

{$obj.email|wash(email)}

It is also important to make sure that all generated urls is washed properly, for instance it is possible to input special characters in the url and have alter the generated HTML code in such a way that it will run javascripts.

In eZ publish escaping urls are done with the ezurl operator which will make sure the resulting url is properly escaped as well as have correct form for non-virtual hosts.

Example using ezurl operator

<a href={$node.url_alias|ezurl}>My link</a>