From b044c456798ac5f6d4ad9a8f73bc80857a433470 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Deruss=C3=A9?=
 <jeremy.derusse@sensiolabs.com>
Date: Wed, 3 Sep 2014 22:47:06 +0200
Subject: [PATCH] Escape parameter on generated response

---
 src/Symfony/Component/HttpKernel/HttpCache/Esi.php          | 6 +++---
 .../Component/HttpKernel/Tests/HttpCache/EsiTest.php        | 5 +++++
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/Symfony/Component/HttpKernel/HttpCache/Esi.php b/src/Symfony/Component/HttpKernel/HttpCache/Esi.php
index 3ba9ecd818ca..9dd99d64cc49 100644
--- a/src/Symfony/Component/HttpKernel/HttpCache/Esi.php
+++ b/src/Symfony/Component/HttpKernel/HttpCache/Esi.php
@@ -236,9 +236,9 @@ private function handleEsiIncludeTag($attributes)
             throw new \RuntimeException('Unable to process an ESI tag without a "src" attribute.');
         }
 
-        return sprintf('<?php echo $this->esi->handle($this, \'%s\', \'%s\', %s) ?>'."\n",
-            $options['src'],
-            isset($options['alt']) ? $options['alt'] : null,
+        return sprintf('<?php echo $this->esi->handle($this, %s, %s, %s) ?>'."\n",
+            var_export($options['src'], true),
+            var_export(isset($options['alt']) ? $options['alt'] : '', true),
             isset($options['onerror']) && 'continue' == $options['onerror'] ? 'true' : 'false'
         );
     }
diff --git a/src/Symfony/Component/HttpKernel/Tests/HttpCache/EsiTest.php b/src/Symfony/Component/HttpKernel/Tests/HttpCache/EsiTest.php
index 328f855cd308..23e256e85b8b 100644
--- a/src/Symfony/Component/HttpKernel/Tests/HttpCache/EsiTest.php
+++ b/src/Symfony/Component/HttpKernel/Tests/HttpCache/EsiTest.php
@@ -110,6 +110,11 @@ public function testProcess()
         $this->assertEquals('foo <?php echo $this->esi->handle($this, \'...\', \'alt\', true) ?>'."\n", $response->getContent());
         $this->assertEquals('ESI', $response->headers->get('x-body-eval'));
 
+        $response = new Response('foo <esi:comment text="some comment" /><esi:include src="foo\'" alt="bar\'" onerror="continue" />');
+        $esi->process($request, $response);
+
+        $this->assertEquals("foo <?php echo \$this->esi->handle(\$this, 'foo\\'', 'bar\\'', true) ?>"."\n", $response->getContent());
+
         $response = new Response('foo <esi:include src="..." />');
         $esi->process($request, $response);