Skip to content

Commit

Permalink
Compiler: checks macro is not in quotes in JS even with |noescape
Browse files Browse the repository at this point in the history
  • Loading branch information
@dg
dg committed Jan 27, 2022
1 parent 372167b commit d1e965b
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 13 deletions.
15 changes: 8 additions & 7 deletions src/Latte/Compiler/Compiler.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -863,16 +863,17 @@ public function expandMacro(string $name, string $args, string $modifiers = '',

if (!Helpers::removeFilter($modifiers, 'noescape')) {
$modifiers .= '|escape';
if (
$this->context === self::CONTEXT_HTML_JS
&& $name === '='
&& preg_match('#["\'] *$#D', $this->tokens[$this->position - 1]->text)
) {
throw new CompileException("Do not place {$this->tokens[$this->position]->text} inside quotes.");
}
} elseif ($this->policy && !$this->policy->isFilterAllowed('noescape')) {
throw new SecurityViolationException('Filter |noescape is not allowed.');
}

if (
$this->context === self::CONTEXT_HTML_JS
&& $name === '='
&& preg_match('#["\']$#D', $this->tokens[$this->position - 1]->text)
) {
throw new CompileException("Do not place {$this->tokens[$this->position]->text} inside quotes in JavaScript.");
}
}

if ($nPrefix === MacroNode::PREFIX_INNER && !strcasecmp($this->htmlNode->name, 'script')) {
Expand Down
11 changes: 5 additions & 6 deletions tests/Latte/contentType.html.javascript.phpt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,9 @@ Assert::match(
$latte->renderToString('<script>{=[1,2,3]}')
);

Assert::match(
'<script>"123"',
$latte->renderToString('<script>"{=123|noescape}"')
);
Assert::exception(function () use ($latte) {
$latte->compile('<script>"{=123|noescape}"');
}, Latte\CompileException::class, 'Do not place {=123|noescape} inside quotes in JavaScript.');

Assert::match(
'<script id="&lt;&gt;">',
Expand All @@ -52,11 +51,11 @@ Assert::match(

Assert::exception(function () use ($latte) {
$latte->compile('<script> "{$var}" </script>');
}, Latte\CompileException::class, 'Do not place {$var} inside quotes.');
}, Latte\CompileException::class, 'Do not place {$var} inside quotes in JavaScript.');

Assert::exception(function () use ($latte) {
$latte->compile("<script> '{\$var}' </script>");
}, Latte\CompileException::class, 'Do not place {$var} inside quotes.');
}, Latte\CompileException::class, 'Do not place {$var} inside quotes in JavaScript.');

Assert::match(
'<script type="TEXT/X-JAVASCRIPT">"<>"',
Expand Down

0 comments on commit d1e965b

Please sign in to comment.