#326 fix unsafe output in html tag content

casid · Mar 21, 2024 · 361c12f · 361c12f
1 parent 7dc7ce3
commit 361c12f
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 1 deletion.
diff --git a/jte/src/main/java/gg/jte/compiler/TemplateParser.java b/jte/src/main/java/gg/jte/compiler/TemplateParser.java
@@ -754,11 +754,22 @@ private void interceptHtmlTags() {
                     visitor.onError("Unclosed tag <" + currentHtmlTag.name + ">, expected " + "</" + currentHtmlTag.name + ">, got </" + tagName + ">.");
                 }
                 tagClosed = true;
-            } else if (!currentHtmlTag.attributesProcessed && !Character.isWhitespace(currentChar) && currentChar != '/' && currentHtmlTag.isCurrentAttributeComplete()) {
+            } else if (!currentHtmlTag.attributesProcessed && !Character.isWhitespace(currentChar) && currentChar != '/' && currentChar != '=' && currentHtmlTag.isCurrentAttributeComplete()) {
                 HtmlAttribute attribute = parseHtmlAttribute();
                 if (attribute != null) {
                     htmlPolicy.validateHtmlAttribute(currentHtmlTag, attribute);
 
+                    if (attribute.name.startsWith("$unsafe{")) {
+                        i += "$unsafe".length() - 1;
+                        outputPrevented = false;
+                        return;
+                    }
+
+                    if (attribute.name.startsWith("${")) {
+                        outputPrevented = false;
+                        return;
+                    }
+
                     currentHtmlTag.attributes.add(attribute);
 
                     if (attribute.isSmartAttribute()) {

diff --git a/jte/src/test/java/gg/jte/TemplateEngine_HtmlOutputEscapingTest.java b/jte/src/test/java/gg/jte/TemplateEngine_HtmlOutputEscapingTest.java
@@ -1704,6 +1704,24 @@ void attributes_dynamicNameForHotwire_unsafe_worksWithDefaultPolicyToo() {
 
             assertThat(output.toString()).isEqualTo("<div data-controller=\"hello\">\n<input data-hello-target=\"name\"/></div>");
         }
+
+        @Test
+        void attributes_dynamicAttributesForHtmx() {
+            codeResolver.givenCode("template.jte", "@param String htmx\n<div ${htmx}/>");
+
+            templateEngine.render("template.jte", TemplateUtils.toMap("htmx", "hx-get=/helloWorld hx-swap=outerHTML"), output);
+
+            assertThat(output.toString()).isEqualTo("<div hx-get=/helloWorld hx-swap=outerHTML/>");
+        }
+
+        @Test
+        void attributes_dynamicAttributesForHtmx_unsafe() {
+            codeResolver.givenCode("template.jte", "@param String htmx\n<div $unsafe{htmx}/>");
+
+            templateEngine.render("template.jte", TemplateUtils.toMap("htmx", "hx-get=/helloWorld hx-swap=outerHTML"), output);
+
+            assertThat(output.toString()).isEqualTo("<div hx-get=/helloWorld hx-swap=outerHTML/>");
+        }
     }
 
     @SuppressWarnings("unused")