Permalink
Browse files

Fixing issue where asset paths were not being properly escaped.

  • Loading branch information...
1 parent 78ed6f7 commit f0b19ab410257a6411bf8b6990737e4518faf827 @nateabele nateabele committed May 21, 2013
Showing with 32 additions and 13 deletions.
  1. +14 −13 template/view/Renderer.php
  2. +18 −0 tests/cases/template/view/RendererTest.php
@@ -188,38 +188,39 @@ public function __construct(array $config = array()) {
protected function _init() {
parent::_init();
- $request =& $this->_request;
- $context =& $this->_context;
+ $req =& $this->_request;
+ $ctx =& $this->_context;
$classes =& $this->_classes;
$h = $this->_view ? $this->_view->outputFilters['h'] : null;
$this->_handlers += array(
- 'url' => function($url, $ref, array $options = array()) use (&$classes, &$request, $h) {
- $url = $classes['router']::match($url ?: '', $request, $options);
+ 'url' => function($url, $ref, array $options = array()) use (&$classes, &$req, $h) {
+ $url = $classes['router']::match($url ?: '', $req, $options);
return $h ? str_replace('&', '&', $h($url)) : $url;
},
- 'path' => function($path, $ref, array $options = array()) use (&$classes, &$request) {
- $defaults = array('base' => $request ? $request->env('base') : '');
+ 'path' => function($path, $ref, array $options = array()) use (&$classes, &$req, $h) {
+ $defaults = array('base' => $req ? $req->env('base') : '');
$type = 'generic';
if (is_array($ref) && $ref[0] && $ref[1]) {
list($helper, $methodRef) = $ref;
list($class, $method) = explode('::', $methodRef);
$type = $helper->contentMap[$method];
}
- return $classes['media']::asset($path, $type, $options + $defaults);
+ $path = $classes['media']::asset($path, $type, $options + $defaults);
+ return $h ? $h($path) : $path;
},
'options' => '_attributes',
'title' => 'escape',
'value' => 'escape',
- 'scripts' => function($scripts) use (&$context) {
- return "\n\t" . join("\n\t", $context['scripts']) . "\n";
+ 'scripts' => function($scripts) use (&$ctx) {
+ return "\n\t" . join("\n\t", $ctx['scripts']) . "\n";
},
- 'styles' => function($styles) use (&$context) {
- return "\n\t" . join("\n\t", $context['styles']) . "\n";
+ 'styles' => function($styles) use (&$ctx) {
+ return "\n\t" . join("\n\t", $ctx['styles']) . "\n";
},
- 'head' => function($head) use (&$context) {
- return "\n\t" . join("\n\t", $context['head']) . "\n";
+ 'head' => function($head) use (&$ctx) {
+ return "\n\t" . join("\n\t", $ctx['head']) . "\n";
}
);
unset($this->_config['view']);
@@ -96,6 +96,24 @@ public function testUrlAutoEscaping() {
}
/**
+ * Tests that asset paths are properly escaped.
+ */
+ public function testAssetPathEscaping() {
+ $this->subject = new Simple(array(
+ 'response' => new Response(), 'view' => new View(), 'request' => new Request(array(
+ 'base' => '/foo/index.php/>"><script>alert(\'hehe\');</script><link href="HTTP',
+ 'url' => 'foo/index.php/%3E%22%3E%3Cscript%3Ealert%28%27hehe%27%29;%3C/script%3' .
+ 'E%3Clink%20href=%22HTTP/1.0%22%3C',
+ 'env' => array('HTTP_HOST' => 'foo.local')
+ ))
+ ));
+
+ $expected = "/foo/index.php/&gt;&quot;&gt;&lt;script&gt;alert(&#039;hehe&#039;);&lt;";
+ $expected .= "/script&gt;&lt;link href=&quot;HTTP/somefile";
+ $this->assertEqual($expected, $this->subject->path("somefile"));
+ }
+
+ /**
* Tests built-in content handlers for generating URLs, paths to static assets, and handling
* output of elements written to the request context.
*/

1 comment on commit f0b19ab

@ryansnowden
<script>alert(\'hehe\'); ? lol
Please sign in to comment.