print variable with nofilter on tpl

[Mirko L]

Hi there,

i'm developing a module and i need to print a variable that contains html code in a tpl file. I know that i can use "nofilter" to do this (i.e. {$var nofilter})

When i try to validate the module (on validator.prestashop.com), in the security tab, there is this error: "Removing variable escaping is highly discouraged because malicious code can be displayed and executed". If i remove "nofilter", the variable is print as plain text. For example:

in module class 

$var = "<p>test string</p>";
$this->context->smarty->assign(['var'=>$var]);

in tpl file

{$var nofilter} <!-- output: test string -->
{$var|escape:'html':'UTF-8'} <!-- output: <p>test string</p> -->

How can i solve the validation error? Can i submit the module on the marketplace also with this error?

I'm using PrestaShop version 1.7.6.3

Thanks in advance

Edited February 6, 2020 by Mirko L (see edit history)

[Nishith Nesdiya]

Hi.

please leave this error and upload module in prestashop addons 

use this {$var nofilter}

Thanks

[Mirko L]

ok thank you!

[fbenoist.com]

With your code there is a risk of an XSS attack. 

You must write:

{$var|cleanHtml nofilter}

 

[Mirko L]

8 minutes ago, fbenoist.com said:

With your code there is a risk of an XSS attack. 

You must write:

{$var|cleanHtml nofilter}

 

thank you @fbenoist.com, it solve the error on validator!