From f23c2cf3c724b34f5c5ee4ad2873716c758f8bf3 Mon Sep 17 00:00:00 2001
From: David Grudl <david@grudl.com>
Date: Wed, 28 Dec 2022 13:44:13 +0100
Subject: [PATCH] escaping is mandatory in HtmlComment

---
 src/Latte/Compiler/Escaper.php                | 4 +++-
 src/Latte/Compiler/Nodes/Php/ModifierNode.php | 2 +-
 tests/common/Compiler.noescape.phpt           | 7 +++++++
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/Latte/Compiler/Escaper.php b/src/Latte/Compiler/Escaper.php
index 41537dc7f..fc1b09022 100644
--- a/src/Latte/Compiler/Escaper.php
+++ b/src/Latte/Compiler/Escaper.php
@@ -222,7 +222,7 @@ public function escape(string $str): string
 	}
 
 
-	public function escapeMandatory(string $str): string
+	public function escapeMandatory(string $str, ?Position $position = null): string
 	{
 		$quote = var_export($this->quote, true); // TODO
 		return match ($this->contentType) {
@@ -232,10 +232,12 @@ public function escapeMandatory(string $str): string
 					self::HtmlText => 'LR\Filters::convertHtmlToHtmlRawText(' . $str . ')',
 					default => "LR\\Filters::convertJSToHtmlRawText($str)",
 				},
+				self::HtmlComment => throw new Latte\CompileException('Using |noescape is not allowed in this context.', $position),
 				default => $str,
 			},
 			ContentType::Xml => match ($this->state) {
 				self::HtmlAttribute => "LR\\Filters::escapeHtmlChar($str, $quote)",
+				self::HtmlComment => throw new Latte\CompileException('Using |noescape is not allowed in this context.', $position),
 				default => $str,
 			},
 			default => $str,
diff --git a/src/Latte/Compiler/Nodes/Php/ModifierNode.php b/src/Latte/Compiler/Nodes/Php/ModifierNode.php
index 6f71d09e7..d9f868e7f 100644
--- a/src/Latte/Compiler/Nodes/Php/ModifierNode.php
+++ b/src/Latte/Compiler/Nodes/Php/ModifierNode.php
@@ -70,7 +70,7 @@ public function printSimple(PrintContext $context, string $expr): string
 
 		$expr = $escape
 			? $escaper->escape($expr)
-			: $escaper->escapeMandatory($expr);
+			: $escaper->escapeMandatory($expr, $this->position);
 
 		return $expr;
 	}
diff --git a/tests/common/Compiler.noescape.phpt b/tests/common/Compiler.noescape.phpt
index 036d978b8..1451e12be 100644
--- a/tests/common/Compiler.noescape.phpt
+++ b/tests/common/Compiler.noescape.phpt
@@ -58,3 +58,10 @@ Assert::match(
 	'<p onclick="foo a=\'a\' b=&quot;b&quot;>"></p>',
 	$latte->renderToString('<p onclick="{="foo a=\'a\' b=\"b\">"|noescape}"></p>'),
 );
+
+// comment
+Assert::exception(
+	fn() => $latte->renderToString('<!-- {="-->"|noescape} -->'),
+	Latte\CompileException::class,
+	'Using |noescape is not allowed in this context (on line 1 at column 13)',
+);