TokenSmartyTest - Add more coverage re: HTML escaping of data

civicrm · Dec 30, 2021 · 95df89a · 95df89a
1 parent e8d1234
commit 95df89a
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/tests/phpunit/CRM/Core/TokenSmartyTest.php b/tests/phpunit/CRM/Core/TokenSmartyTest.php
@@ -132,6 +132,21 @@ public function getDateFormats(): array {
     ];
   }
 
+  public function testTokenDataEscape() {
+    $cutesyContactId = $this->individualCreate([
+      'first_name' => 'Ivan\'s "The Ter<r>ible"',
+    ]);
+    $rendered = CRM_Core_TokenSmarty::render(
+      [
+        'msg_html' => 'First name is <b>{contact.first_name}</b>.',
+        'msg_text' => 'First name is __{contact.first_name}__.',
+      ],
+      ['contactId' => $cutesyContactId]
+    );
+    $this->assertEquals('First name is <b>Ivan&#039;s &quot;The Ter&lt;r&gt;ible&quot;</b>.', $rendered['msg_html']);
+    $this->assertEquals('First name is __Ivan\'s "The Ter<r>ible"__.', $rendered['msg_text']);
+  }
+
   /**
    * Someone malicious gives cutesy expressions (via token-content) that tries to provoke extra evaluation.
    */