Filters: compatibility with JS binding II.

- when {{ is used inside a <script type="text/template"> it can either be written as entity { OR with comment - when {{ is used in HTML it must be written with comment (which cannot be used in HTML attribute)
nette · Oct 27, 2021 · 1adde0c · 1adde0c
1 parent 7964d02
commit 1adde0c
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 1 deletion.
diff --git a/src/Latte/Runtime/Filters.php b/src/Latte/Runtime/Filters.php
@@ -65,7 +65,9 @@ public static function escapeHtmlAttr($s, bool $double = true): string
 		if (strpos($s, '`') !== false && strpbrk($s, ' <>"\'') === false) {
 			$s .= ' '; // protection against innerHTML mXSS vulnerability nette/nette#1496
 		}
-		return htmlspecialchars($s, ENT_QUOTES | ENT_HTML5 | ENT_SUBSTITUTE, 'UTF-8', $double);
+		$s = htmlspecialchars($s, ENT_QUOTES | ENT_HTML5 | ENT_SUBSTITUTE, 'UTF-8', $double);
+		$s = str_replace('{', '&#123;', $s);
+		return $s;
 	}
 
 

diff --git a/tests/Latte/Filters.escapeHtmlAttr().phpt b/tests/Latte/Filters.escapeHtmlAttr().phpt
@@ -29,3 +29,6 @@ Assert::same('`hello&apos;', Filters::escapeHtmlAttr("`hello'"));
 // invalid UTF-8
 Assert::same("foo \u{FFFD} bar", Filters::escapeHtmlAttr("foo \u{D800} bar")); // invalid codepoint high surrogates
 Assert::same("foo \u{FFFD}&quot; bar", Filters::escapeHtmlAttr("foo \xE3\x80\x22 bar")); // stripped UTF
+
+// JS
+Assert::same('hello &#123; worlds }', Filters::escapeHtmlAttr('hello { worlds }'));
diff --git a/tests/Latte/Filters.escapeHtmlAttrConv().phpt b/tests/Latte/Filters.escapeHtmlAttrConv().phpt
@@ -29,3 +29,6 @@ Assert::same('`hello&apos;', Filters::escapeHtmlAttrConv("`hello'"));
 // invalid UTF-8
 Assert::same("foo \u{FFFD} bar", Filters::escapeHtmlAttrConv("foo \u{D800} bar")); // invalid codepoint high surrogates
 Assert::same("foo \u{FFFD}&quot; bar", Filters::escapeHtmlAttrConv("foo \xE3\x80\x22 bar")); // stripped UTF
+
+// JS
+Assert::same('hello &#123; worlds }', Filters::escapeHtmlAttrConv('hello { worlds }'));
diff --git a/tests/Latte/Filters.escapeHtmlAttrUnquoted().phpt b/tests/Latte/Filters.escapeHtmlAttrUnquoted().phpt
@@ -26,3 +26,6 @@ Assert::same('"`hello "', Filters::escapeHtmlAttrUnquoted('`hello'));
 // invalid UTF-8
 Assert::same("\"foo \u{FFFD} bar\"", Filters::escapeHtmlAttrUnquoted("foo \u{D800} bar")); // invalid codepoint high surrogates
 Assert::same("\"foo \u{FFFD}&quot; bar\"", Filters::escapeHtmlAttrUnquoted("foo \xE3\x80\x22 bar")); // stripped UTF
+
+// JS
+Assert::same('"hello &#123; worlds }"', Filters::escapeHtmlAttrUnquoted('hello { worlds }'));