Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[7.x] Escape attributes automatically in some situations #31945

Merged
merged 7 commits into from
Mar 13, 2020
Merged

[7.x] Escape attributes automatically in some situations #31945

merged 7 commits into from
Mar 13, 2020

Conversation

taylorotwell
Copy link
Member

No description provided.

@GrahamCampbell GrahamCampbell changed the title Escape attributes automatically in some situations [7.x] Escape attributes automatically in some situations Mar 12, 2020
perifer
perifer reviewed Mar 13, 2020
View reviewed changes
src/Illuminate/View/Compilers/ComponentTagCompiler.php
@@ -165,15 +176,15 @@ protected function componentString(string $component, array $attributes)
if (! class_exists($class)) {
$parameters = [
'view' => "'$class'",
'data' => '['.$this->attributesToString($data->all()).']',
'data' => '['.$this->attributesToString($data->all(), $escapeBound = false).']',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is currently not covered by any test (Changing to $escapeBound = true doesn't cause any tests to fail).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is an attempt to cover this in testClasslessComponents(): perifer@46176c6

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@taylorotwell taylorotwell merged commit ae4d790 into 7.x Mar 13, 2020
@GrahamCampbell GrahamCampbell deleted the escape-attributes branch March 15, 2020 10:08
@GrahamCampbell
Copy link
Member

@bakerkretzmar
Copy link
Contributor

@perifer @taylorotwell @GrahamCampbell is there any way to disable this sanitizing if I do want to pass in a class with a __toString() method, and have it available as a PHP object (not a string) inside my component?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@perifer perifer perifer left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@taylorotwell @GrahamCampbell @bakerkretzmar @perifer