Skip to content

Commit

Permalink
#326 fix unsafe output in html tag content
Browse files Browse the repository at this point in the history
  • Loading branch information
casid committed Mar 21, 2024
1 parent 7dc7ce3 commit 361c12f
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 1 deletion.
13 changes: 12 additions & 1 deletion jte/src/main/java/gg/jte/compiler/TemplateParser.java
Original file line number Diff line number Diff line change
Expand Up @@ -754,11 +754,22 @@ private void interceptHtmlTags() {
visitor.onError("Unclosed tag <" + currentHtmlTag.name + ">, expected " + "</" + currentHtmlTag.name + ">, got </" + tagName + ">.");
}
tagClosed = true;
} else if (!currentHtmlTag.attributesProcessed && !Character.isWhitespace(currentChar) && currentChar != '/' && currentHtmlTag.isCurrentAttributeComplete()) {
} else if (!currentHtmlTag.attributesProcessed && !Character.isWhitespace(currentChar) && currentChar != '/' && currentChar != '=' && currentHtmlTag.isCurrentAttributeComplete()) {
HtmlAttribute attribute = parseHtmlAttribute();
if (attribute != null) {
htmlPolicy.validateHtmlAttribute(currentHtmlTag, attribute);

if (attribute.name.startsWith("$unsafe{")) {
i += "$unsafe".length() - 1;
outputPrevented = false;
return;
}

if (attribute.name.startsWith("${")) {
outputPrevented = false;
return;
}

currentHtmlTag.attributes.add(attribute);

if (attribute.isSmartAttribute()) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1704,6 +1704,24 @@ void attributes_dynamicNameForHotwire_unsafe_worksWithDefaultPolicyToo() {

assertThat(output.toString()).isEqualTo("<div data-controller=\"hello\">\n<input data-hello-target=\"name\"/></div>");
}

@Test
void attributes_dynamicAttributesForHtmx() {
codeResolver.givenCode("template.jte", "@param String htmx\n<div ${htmx}/>");

templateEngine.render("template.jte", TemplateUtils.toMap("htmx", "hx-get=/helloWorld hx-swap=outerHTML"), output);

assertThat(output.toString()).isEqualTo("<div hx-get=/helloWorld hx-swap=outerHTML/>");
}

@Test
void attributes_dynamicAttributesForHtmx_unsafe() {
codeResolver.givenCode("template.jte", "@param String htmx\n<div $unsafe{htmx}/>");

templateEngine.render("template.jte", TemplateUtils.toMap("htmx", "hx-get=/helloWorld hx-swap=outerHTML"), output);

assertThat(output.toString()).isEqualTo("<div hx-get=/helloWorld hx-swap=outerHTML/>");
}
}

@SuppressWarnings("unused")
Expand Down

0 comments on commit 361c12f

Please sign in to comment.