View Guide

CorianderPHP views live in public/public_views. Each view contains an index.php template and a metadata.php file for sitemap settings.

Creating a View

Generate a view with the CLI:

php coriander make:view Home

The command creates public/public_views/home/index.php and metadata.php. Update metadata.php to control sitemap inclusion:

<?php
$addViewInSitemap = true;      // include page
$sitemapPriority  = 0.8;       // 0.0 - 1.0

Rendering Images as WebP

Use the built-in ImageHandler to convert images to WebP on the fly inside a view:

<?= \CorianderCore\Core\Image\ImageHandler::render('/public/assets/img/logo.png', 'Site logo'); ?>

The helper converts the image if needed and outputs a <picture> tag with WebP and fallback sources.

If your web server serves the project root instead of the public/ directory, set the public URL prefix in .env:

PUBLIC_URL_PREFIX=/public

When the document root is already public/, leave the prefix empty. URLs generated from /public/assets/... are emitted as /assets/....

Output Safety

Variables passed to view templates are automatically escaped for HTML output to mitigate XSS attacks.

Path Safety

View resolution only accepts normalized relative paths under public/public_views.

  • Dot-segments such as . or .. are rejected.
  • Absolute paths are rejected.
  • Null-byte path fragments are rejected.

This prevents path traversal and accidental inclusion of files outside the view root.

Shared templates now use an internally normalized requested-view value for metadata and asset resolution, instead of raw request path data.

Best Practices

  • Keep view logic minimal; handle business logic in controllers or services.
  • Avoid double escaping; variables provided to views are sanitized by the framework.
  • Store assets under public/assets and reference them with absolute paths.