Skip to content

Commit

Permalink
escaping is mandatory in HtmlAttributeUnquoted & HtmlComment
Browse files Browse the repository at this point in the history
  • Loading branch information
dg committed Jul 30, 2023
1 parent 0e55b19 commit b16cbd1
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 5 deletions.
4 changes: 3 additions & 1 deletion src/Latte/Compiler/Escaper.php
Original file line number Diff line number Diff line change
Expand Up @@ -230,7 +230,7 @@ public function escape(string $str): string
}


public function escapeMandatory(string $str): string
public function escapeMandatory(string $str, ?Position $position = null): string
{
$quote = var_export($this->quote, true);
return match ($this->contentType) {
Expand All @@ -240,10 +240,12 @@ public function escapeMandatory(string $str): string
self::HtmlText => 'LR\Filters::convertHtmlToHtmlRawText(' . $str . ')',
default => "LR\\Filters::convertJSToHtmlRawText($str)",
},
self::HtmlAttributeUnquoted, self::HtmlComment => throw new Latte\CompileException('Using |noescape is not allowed in this context.', $position),
default => $str,
},
ContentType::Xml => match ($this->state) {
self::HtmlAttributeQuoted => "LR\\Filters::escapeHtmlChar($str, $quote)",
self::HtmlAttributeUnquoted, self::HtmlComment => throw new Latte\CompileException('Using |noescape is not allowed in this context.', $position),
default => $str,
},
default => $str,
Expand Down
2 changes: 1 addition & 1 deletion src/Latte/Compiler/Nodes/Php/ModifierNode.php
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ public function printSimple(PrintContext $context, string $expr): string

$expr = $escape
? $escaper->escape($expr)
: $escaper->escapeMandatory($expr);
: $escaper->escapeMandatory($expr, $this->position);

return $expr;
}
Expand Down
14 changes: 11 additions & 3 deletions tests/common/Compiler.noescape.phpt
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,10 @@ Assert::match(
);

// attribute unquoted values
Assert::match(
'<p title=foo a=\'a\' b="b">></p>',
$latte->renderToString('<p title={="foo a=\'a\' b=\"b\">"|noescape}></p>'),
Assert::exception(
fn() => $latte->renderToString('<p title={="foo a=\'a\' b=\"b\">"|noescape}></p>'),
Latte\CompileException::class,
'Using |noescape is not allowed in this context (on line 1 at column 32)',
);

// attribute quoted values
Expand All @@ -58,3 +59,10 @@ Assert::match(
'<p onclick="foo a=\'a\' b=&quot;b&quot;>"></p>',
$latte->renderToString('<p onclick="{="foo a=\'a\' b=\"b\">"|noescape}"></p>'),
);

// comment
Assert::exception(
fn() => $latte->renderToString('<!-- {="-->"|noescape} -->'),
Latte\CompileException::class,
'Using |noescape is not allowed in this context (on line 1 at column 13)',
);

0 comments on commit b16cbd1

Please sign in to comment.