From 97e696400bded3ef14ea11bb3cc64fd458fcda1e Mon Sep 17 00:00:00 2001
From: David Grudl <david@grudl.com>
Date: Wed, 28 Dec 2022 13:44:13 +0100
Subject: [PATCH] escaping is mandatory in HtmlComment

---
 src/Latte/Compiler/Escaper.php                |  4 +++-
 src/Latte/Compiler/Nodes/Php/ModifierNode.php |  2 +-
 tests/common/Compiler.noescape.phpt           | 14 +++++++++++---
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/Latte/Compiler/Escaper.php b/src/Latte/Compiler/Escaper.php
index a7aba2bbc..e83e55be8 100644
--- a/src/Latte/Compiler/Escaper.php
+++ b/src/Latte/Compiler/Escaper.php
@@ -212,7 +212,7 @@ public function escape(string $str): string
 	}
 
 
-	public function escapeMandatory(string $str): string
+	public function escapeMandatory(string $str, ?Position $position = null): string
 	{
 		$quote = var_export($this->quote, true); // TODO
 		return match ($this->contentType) {
@@ -222,10 +222,12 @@ public function escapeMandatory(string $str): string
 					self::HtmlText => 'LR\Filters::convertHtmlToHtmlRawText(' . $str . ')',
 					default => "LR\\Filters::convertJSToHtmlRawText($str)",
 				},
+				self::HtmlComment => throw new Latte\CompileException('Using |noescape is not allowed in this context.', $position),
 				default => $str,
 			},
 			ContentType::Xml => match ($this->state) {
 				self::HtmlAttribute => "LR\\Filters::escapeHtmlChar($str, $quote)",
+				self::HtmlComment => throw new Latte\CompileException('Using |noescape is not allowed in this context.', $position),
 				default => $str,
 			},
 			default => $str,
diff --git a/src/Latte/Compiler/Nodes/Php/ModifierNode.php b/src/Latte/Compiler/Nodes/Php/ModifierNode.php
index 6f71d09e7..d9f868e7f 100644
--- a/src/Latte/Compiler/Nodes/Php/ModifierNode.php
+++ b/src/Latte/Compiler/Nodes/Php/ModifierNode.php
@@ -70,7 +70,7 @@ public function printSimple(PrintContext $context, string $expr): string
 
 		$expr = $escape
 			? $escaper->escape($expr)
-			: $escaper->escapeMandatory($expr);
+			: $escaper->escapeMandatory($expr, $this->position);
 
 		return $expr;
 	}
diff --git a/tests/common/Compiler.noescape.phpt b/tests/common/Compiler.noescape.phpt
index ead26002b..4ab307b40 100644
--- a/tests/common/Compiler.noescape.phpt
+++ b/tests/common/Compiler.noescape.phpt
@@ -33,9 +33,10 @@ Assert::match(
 );
 
 // attribute unquoted values
-Assert::match(
-	'<p title=foo a=\'a\' b="b">></p>',
-	$latte->renderToString('<p title={="foo a=\'a\' b=\"b\">"|noescape}></p>'),
+Assert::exception(
+	fn() => $latte->renderToString('<p title={="foo a=\'a\' b=\"b\">"|noescape}></p>'),
+	Latte\CompileException::class,
+	'Using |noescape is not allowed in this context (on line 1 at column 32)',
 );
 
 // attribute quoted values
@@ -58,3 +59,10 @@ Assert::match(
 	'<p onclick="foo a=\'a\' b=&quot;b&quot;>"></p>',
 	$latte->renderToString('<p onclick="{="foo a=\'a\' b=\"b\">"|noescape}"></p>'),
 );
+
+// comment
+Assert::exception(
+	fn() => $latte->renderToString('<!-- {="-->"|noescape} -->'),
+	Latte\CompileException::class,
+	'Using |noescape is not allowed in this context (on line 1 at column 13)',
+);