<% loop $Results %>
<article class="l-card">
<h4><a href="$Link">$Title</a></h4> // prints the html part (This is <span class="highlight-search-result">a test</span>
<h4><a href="$Link">This is <span class="highlight-search-result">a test</span>.</a></h4> // works
<% if $Content %>
<p>$Content</p>
<% end_if %>
<a class="readMoreLink" href="$Link" >Read more about "{$Title}"...</a>
</article>
<% end_loop %>
The Content is rendered correctly (even if within the link). The title is not rendered correctly - it prints out the html part. What is difference between Content and Title and what is the correct syntax to render the Title correctly?
Not sure what you mean with “prints out the html part”: a real example would be much more helpful.
According to the source code, Title is Varchar, so by default HTML special chars are escaped. On the other hand, Content is HTMLText: it is expected to contain HTML entities so by default HTML special chars are not escaped.
If for some reason you want to force a different behavior, you can explicitely specify escape methods, e.g. $Title.RAW will not escape HTML chars while $Content.XML will escape them.
Just as an aside… We obviously aren’t see all the code, so this may not be relevant, but be really careful how you deal with the data going back and forth. If you’re not sanitising that user input, just outputting it back onto the screen (with escaping disabled) is an age-old way to open yourself up to injection attacks.
@Tim thank you for reminders. I do the sanitising - as used in default SearchForm. I’m making changes on the result. I published only the code that seemed relevant.
Well, to me “prints out” sounds more like what is sent by the server, i.e. the HTML. And the difference between HTML and what is rendered is the core of this issue, hence my preamble.