From f7bfa2bbc7f1d93ace5dce2c25ce10bfa084565b Mon Sep 17 00:00:00 2001
From: David Grudl <david@grudl.com>
Date: Thu, 27 Jan 2022 12:55:06 +0100
Subject: [PATCH] Compiler: checks macro is not in quotes in JS even with
 |noescape

---
 src/Latte/Compiler/Compiler.php              | 15 ++++++++-------
 tests/Latte/contentType.html.javascript.phpt | 11 +++++------
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/src/Latte/Compiler/Compiler.php b/src/Latte/Compiler/Compiler.php
index c63988565..3133b34c8 100644
--- a/src/Latte/Compiler/Compiler.php
+++ b/src/Latte/Compiler/Compiler.php
@@ -863,16 +863,17 @@ public function expandMacro(string $name, string $args, string $modifiers = '',
 
 			if (!Helpers::removeFilter($modifiers, 'noescape')) {
 				$modifiers .= '|escape';
-				if (
-					$this->context === self::CONTEXT_HTML_JS
-					&& $name === '='
-					&& preg_match('#["\'] *$#D', $this->tokens[$this->position - 1]->text)
-				) {
-					throw new CompileException("Do not place {$this->tokens[$this->position]->text} inside quotes.");
-				}
 			} elseif ($this->policy && !$this->policy->isFilterAllowed('noescape')) {
 				throw new SecurityViolationException('Filter |noescape is not allowed.');
 			}
+
+			if (
+				$this->context === self::CONTEXT_HTML_JS
+				&& $name === '='
+				&& preg_match('#["\']$#D', $this->tokens[$this->position - 1]->text)
+			) {
+				throw new CompileException("Do not place {$this->tokens[$this->position]->text} inside quotes in JavaScript.");
+			}
 		}
 
 		if ($nPrefix === MacroNode::PREFIX_INNER && !strcasecmp($this->htmlNode->name, 'script')) {
diff --git a/tests/Latte/contentType.html.javascript.phpt b/tests/Latte/contentType.html.javascript.phpt
index 5d111c6e0..45a98a452 100644
--- a/tests/Latte/contentType.html.javascript.phpt
+++ b/tests/Latte/contentType.html.javascript.phpt
@@ -40,10 +40,9 @@ Assert::match(
 	$latte->renderToString('<script>{=[1,2,3]}')
 );
 
-Assert::match(
-	'<script>"123"',
-	$latte->renderToString('<script>"{=123|noescape}"')
-);
+Assert::exception(function () use ($latte) {
+	$latte->compile('<script>"{=123|noescape}"');
+}, Latte\CompileException::class, 'Do not place {=123|noescape} inside quotes in JavaScript.');
 
 Assert::match(
 	'<script id="&lt;&gt;">',
@@ -52,11 +51,11 @@ Assert::match(
 
 Assert::exception(function () use ($latte) {
 	$latte->compile('<script> "{$var}" </script>');
-}, Latte\CompileException::class, 'Do not place {$var} inside quotes.');
+}, Latte\CompileException::class, 'Do not place {$var} inside quotes in JavaScript.');
 
 Assert::exception(function () use ($latte) {
 	$latte->compile("<script> '{\$var}' </script>");
-}, Latte\CompileException::class, 'Do not place {$var} inside quotes.');
+}, Latte\CompileException::class, 'Do not place {$var} inside quotes in JavaScript.');
 
 Assert::match(
 	'<script type="TEXT/X-JAVASCRIPT">"<>"',