Hi devs,
Using the {{translation}} macro to insert translations is the best for security and performances, but safely passing user input as parameters to the {{translation}} macro is currently very error-prone.
So, similarly to what we did for other macros, I would like to propose to introduce a new parameter to the {{translation}} macro allowing to pass the name of a script variable containing the parameters values.
As an example, the idea would be to allow things like:
{{velocity}}
#set ($txparams = [$param1, $param2])
{{translation key="my.translation.key" parameters_script="txparams"/}}
{{/velocity}}
Of course, like with other macros, the context author would require script right to be allowed to use this parameter.
- Do you agree with the concept ?
- What about the parameter name ? Here are a few ideas
a.sparameters: short, but it feels like a good candidate for endless typos
b.scriptParameters: same thing but a bit more explicit
c.parameters_script: makes a bit more explicit that it’s actually a special version of theparametersmacro parameter (even if means adding a checkstyle ignore for that field in Java)
e. other ideas ?
I also thought about introducing a syntax in the parameters values to express the fact that some parameter is a script variable instead of a value, but it would be an API breakage.
WDYT ?
On my side, +1 for 1) and for 2) my preference goes to parameters_script (because it makes visually more obvious that it’s a special parameter) but I’m OK with scriptParameters too if others prefer that. Not a fan of sparameters.
Side note: my dream would be a generic way to allow passing a variable name instead of the value for any macro parameter. But I’m afraid this would need a new xwiki/* syntax and quite a refactoring of the rendering events and of the MacroBlock to express that properly (might even need a new block actually, but it’s not the only new concept we might want to add to macro blocks so why not). One day…
