Entities & Encoding#
Entities are variables that can be used throughout a Miva Merchant Page template to display a value on the screen. Depending on which items you have assigned to a page, you have access to different entities that you can use to write a value to the screen.
Entity Examples#
All entities start with the ampersand ( &
) and end with a semicolon ( ;
)
&mvt:store:name;
- Prints the store name&mvte:category:name;
- Prints the current category name encoded&mvt:product:formatted_price;
- Prints the formatted price of the product
The first part, &mvt
, tells us this is a Miva Merchant page template entity. The middle part, like store
or category
tells us what part of the store interface is being referenced.(Which item is being referenced). The last part, like name
, or formatted_price
, gives the specific piece of information to use from the item being referenced.
An entity can contain different types of data, from integers to text strings to image urls.
In Miva Merchant, when outputting variables to a page, developers have three encoding options: no encoding, entity encoding, attribute encoding, and JSON encoding. Each option serves distinct purposes, and it’s crucial to understand when to employ each.
&mvt
- Prints the value directly to the screen with no encoding.&mvte
- Variables that begin with&mvte
areentity encoded
. All characters are encoded so they are not interpreted by the browser. This is used for all form input values and anywhere user input is written back to the page. Entity encoding variables prevents against cross side scripting and other harmful attacks.&mvta
- Variables that begin with&mvta
areattribute encoded
. This means that any characters they contain will be converted to the correct format for use in a link. This is used for all links and will convert spaces and other characters to link friendly characters.&mvtj
- Variables that begin with&mvtj
areJSON encoded
. This means that any characters they contain will be converted to the correct format for use in a link.&mvts
- Outputs the value as a “slugified” value. All spaces get replaced with dashes and special characters get removed. Multiple dashes in a row get replaced with a single dash.
Encoding Entities#
In HTML, certain characters, known as entities, have special significance, such as the greater-than or less-than signs. These characters are reserved because they’re integral to HTML syntax. For instance, &
is represented as &
in HTML. When using &mvte:
, Miva Merchant identifies entity characters within a variable and encodes them into their HTML equivalent. This encoding is particularly crucial for security purposes, such as preventing cross-site scripting attacks. By encoding special characters, malicious code injected into user input is neutralized.
Attribute Encoding#
Attribute encoding, denoted by &mvta:
, serves a similar purpose but is primarily used for URLs. For instance, spaces are not valid characters in URLs, so attribute encoding replaces them with their attribute equivalent, typically %20
. This encoding ensures that URLs remain valid and functional, mitigating potential errors.
Choosing the appropriate encoding method depends on the specific requirements of the output. While &mvte:
is commonly used for general variable output to safeguard against security threats, &mvta:
is preferred when dealing with URLs to maintain their integrity.
Understanding and appropriately applying these encoding options is vital for safeguarding against security vulnerabilities and ensuring the proper functionality of outputted variables in Miva Merchant.
Examples#
Standard Encoding#
<mvt:assign name="g.no_encoding" value="'This is not encoded'" />
Output: &mvt:global:no_encoding;
Entity Encoding#
<mvt:assign name="g.myvariable" value="'<script> alert (\"oh no\")</script>'" />
Output: &mvte:global:myvariable;
Attribute Encoding#
<mvt:assign name="g.attribute_encoded" value="'This is attribute, encoded'" />
Output: &mvta:global:attribute_encoded;