Filters: compatibility with JS binding II.

- when {{ is used inside a <script type="text/template"> it can either be written as entity { OR with comment - when {{ is used in HTML it must be written with comment (which cannot be used in HTML attribute)
nette · Oct 26, 2021 · a82fd99 · a82fd99
1 parent 7ca3e68
commit a82fd99
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/src/Latte/Runtime/Filters.php b/src/Latte/Runtime/Filters.php
@@ -48,7 +48,7 @@ public static function escapeHtmlText($s): string
 			return $s->__toString(true);
 		}
 		$s = htmlspecialchars((string) $s, ENT_NOQUOTES | ENT_SUBSTITUTE, 'UTF-8');
-		$s = str_replace('{{', '{<!-- -->{', $s);
+		$s = strtr($s, ['{{' => '{<!-- -->{', '{' => '&#123;']);
 		return $s;
 	}
 
@@ -65,7 +65,9 @@ public static function escapeHtmlAttr($s, bool $double = true): string
 		if (strpos($s, '`') !== false && strpbrk($s, ' <>"\'') === false) {
 			$s .= ' '; // protection against innerHTML mXSS vulnerability nette/nette#1496
 		}
-		return htmlspecialchars($s, ENT_QUOTES | ENT_HTML5 | ENT_SUBSTITUTE, 'UTF-8', $double);
+		$s = htmlspecialchars($s, ENT_QUOTES | ENT_HTML5 | ENT_SUBSTITUTE, 'UTF-8', $double);
+		$s = str_replace('{', '&#123;', $s);
+		return $s;
 	}