Latte: security fix for escaping inside <script>, prevents "Script da…

…ta escape start state"

http://www.whatwg.org/specs/web-apps/current-work/multipage/tokenization.html#script-data-escape-start-state

Nette/Templating/Helpers.php

@@ -118,7 +118,7 @@ public static function escapeCss($s)
 
 
 	/**
-	 * Escapes string for use inside JavaScript template.
+	 * Escapes variables for use inside <script>.
 	 * @param  mixed  UTF-8 encoding
 	 * @return string
 	 */
@@ -127,7 +127,7 @@ public static function escapeJs($s)
 		if (is_object($s) && ($s instanceof ITemplate || $s instanceof Html || $s instanceof Form)) {
 			$s = $s->__toString(TRUE);
 		}
-		return str_replace(']]>', ']]\x3E', Nette\Utils\Json::encode($s));
+		return str_replace(array(']]>', '<!'), array(']]\x3E', '\x3C!'), Nette\Utils\Json::encode($s));
 	}
 
 

tests/Nette/Latte/expected/macros.general.html.html

@@ -45,7 +45,7 @@
 	<li id="item-3" class="odd">Paul</li>
 
 
-	<li id="item-4" class="even">]]&gt;</li>
+	<li id="item-4" class="even">]]&gt; &lt;!--</li>
 	</ul>
 
 
@@ -64,7 +64,7 @@
 <!--
 alert('</div>');
 
-var prop = ["John","Mary","Paul","]]\x3E"];
+var prop = ["John","Mary","Paul","]]\x3E \x3C!--"];
 
 document.getElementById("some&<>\"'\/chars").style.backgroundColor = 'red';
 
@@ -76,7 +76,7 @@
 <script>
 /* <![CDATA[ */
 
-var prop2 = ["John","Mary","Paul","]]\x3E"];
+var prop2 = ["John","Mary","Paul","]]\x3E \x3C!--"];
 
 /* ]]> */
 </script>
@@ -123,7 +123,7 @@
 	<li>John</li>
 	<li>Mary</li>
 	<li>Paul</li>
-	<li>]]&gt;</li>
+	<li>]]&gt; &lt;!--</li>
 </ul>
 
 <ul title="for">

tests/Nette/Latte/expected/macros.general.xhtml.html

@@ -45,7 +45,7 @@
 	<li id="item-3" class="odd">Paul</li>
 
 
-	<li id="item-4" class="even">]]&gt;</li>
+	<li id="item-4" class="even">]]&gt; &lt;!--</li>
 	</ul>
 
 
@@ -64,7 +64,7 @@
 <!--
 alert('</div>');
 
-var prop = ["John","Mary","Paul","]]\x3E"];
+var prop = ["John","Mary","Paul","]]\x3E \x3C!--"];
 
 document.getElementById("some&<>\"'\/chars").style.backgroundColor = 'red';
 
@@ -76,7 +76,7 @@
 <script>
 /* <![CDATA[ */
 
-var prop2 = ["John","Mary","Paul","]]\x3E"];
+var prop2 = ["John","Mary","Paul","]]\x3E \x3C!--"];
 
 /* ]]> */
 </script>
@@ -123,7 +123,7 @@
 	<li>John</li>
 	<li>Mary</li>
 	<li>Paul</li>
-	<li>]]&gt;</li>
+	<li>]]&gt; &lt;!--</li>
 </ul>
 
 <ul title="for">

tests/Nette/Latte/expected/macros.xml.html

@@ -47,7 +47,7 @@
 	<li>John</li>
 	<li>Mary</li>
 	<li>Paul</li>
-	<li>]]&gt;</li>
+	<li>]]&gt; &lt;!--</li>
 </ul>
 
 <p>

tests/Nette/Latte/macros.general.html.phpt

@@ -28,7 +28,7 @@ $template->registerHelperLoader('Nette\Templating\Helpers::loader');
 
 $template->hello = '<i>Hello</i>';
 $template->xss = 'some&<>"\'/chars';
-$template->people = array('John', 'Mary', 'Paul', ']]>');
+$template->people = array('John', 'Mary', 'Paul', ']]> <!--');
 $template->menu = array('about', array('product1', 'product2'), 'contact');
 $template->el = Html::el('div')->title('1/2"');
 

tests/Nette/Latte/macros.general.xhtml.phpt

@@ -26,7 +26,7 @@ $template->registerHelperLoader('Nette\Templating\Helpers::loader');
 
 $template->hello = '<i>Hello</i>';
 $template->xss = 'some&<>"\'/chars';
-$template->people = array('John', 'Mary', 'Paul', ']]>');
+$template->people = array('John', 'Mary', 'Paul', ']]> <!--');
 $template->menu = array('about', array('product1', 'product2'), 'contact');
 $template->el = Html::el('div')->title('1/2"');
 

tests/Nette/Latte/macros.xml.phpt

@@ -27,7 +27,7 @@ $template->registerHelperLoader('Nette\Templating\Helpers::loader');
 
 $template->hello = '<i>Hello</i>';
 $template->id = ':/item';
-$template->people = array('John', 'Mary', 'Paul', ']]>');
+$template->people = array('John', 'Mary', 'Paul', ']]> <!--');
 $template->comment = 'test -- comment';
 $template->netteHttpResponse = new Nette\Http\Response;
 $template->el = Html::el('div')->title('1/2"');