Escape inline values for template sections

src/Views/EscapedValue.php

@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Phenix\Views;
+
+use Stringable;
+
+class EscapedValue implements Stringable
+{
+    public function __construct(
+        protected string $value,
+    ) {
+    }
+
+    public function __toString(): string
+    {
+        return e($this->value);
+    }
+}

src/Views/Layout.php

@@ -15,8 +15,6 @@ public function __construct(
     ) {
         parent::__construct($template, $data);
 
-        foreach ($sections as $name => $value) {
-            $this->templateFactory->startSection($name, $value);
-        }
+        $this->templateFactory->inheritSections($sections);
     }
 }

src/Views/TemplateFactory.php

@@ -5,12 +5,19 @@
 namespace Phenix\Views;
 
 use Phenix\Views\Contracts\View as ViewContract;
+use Stringable;
 
 class TemplateFactory
 {
     protected string|null $section;
+
+    /**
+     * @var array<string, string|Stringable|null>
+     */
     protected array $sections;
+
     protected string|null $layout;
+
     protected array $data;
 
     public function __construct(
@@ -46,15 +53,17 @@ public function make(string $template, array $data = []): ViewContract
 
     public function startSection(string $name, string|null $value = null): void
     {
-        if ($value) {
-            $this->sections[$name] = $value;
-        } else {
-            $this->section = $name;
+        if ($value !== null) {
+            $this->sections[$name] = new EscapedValue($value);
 
-            ob_start();
-
-            $this->sections[$name] = null;
+            return;
         }
+
+        $this->section = $name;
+
+        ob_start();
+
+        $this->sections[$name] = null;
     }
 
     public function endSection(): void
@@ -70,7 +79,15 @@ public function endSection(): void
 
     public function yieldSection(string $name): string
     {
-        return $this->sections[$name] ?? '';
+        return (string) ($this->sections[$name] ?? '');
+    }
+
+    /**
+     * @param array<string, string|Stringable|null> $sections
+     */
+    public function inheritSections(array $sections): void
+    {
+        $this->sections = $sections;
     }
 
     public function clear(): void

tests/Unit/Views/TemplateEngineTest.php

@@ -4,7 +4,9 @@
 
 use Phenix\Facades\View;
 use Phenix\Views\Exceptions\ViewNotFoundException;
+use Phenix\Views\TemplateCache;
 use Phenix\Views\TemplateEngine;
+use Phenix\Views\TemplateFactory;
 
 it('render a template successfully', function (): void {
     $template = new TemplateEngine();
@@ -108,6 +110,48 @@
     expect($output)->toContain('New title');
 });
 
+it('escapes XSS in inline section value', function (): void {
+    $template = new TemplateEngine();
+    $template->clearCache();
+
+    $output = $template->view('users.index', [
+        'title' => '<script>alert("xss")</script>',
+    ])->render();
+
+    expect($output)->toBeString();
+    expect($output)->not->toContain('<script>');
+    expect($output)->toContain('&lt;script&gt;');
+});
+
+it('escapes inline section values in template factory', function (): void {
+    $factory = new TemplateFactory(new TemplateCache());
+
+    $factory->startSection('title', '<script>alert("xss")</script>');
+
+    expect($factory->yieldSection('title'))
+        ->toBe('&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;');
+});
+
+it('preserves rendered block section html in template factory', function (): void {
+    $factory = new TemplateFactory(new TemplateCache());
+
+    $factory->startSection('content');
+    echo '<h1>Users</h1>';
+    $factory->endSection();
+
+    expect($factory->yieldSection('content'))->toBe('<h1>Users</h1>');
+});
+
+it('stores empty and zero inline section values without starting a buffer', function (): void {
+    $factory = new TemplateFactory(new TemplateCache());
+
+    $factory->startSection('empty', '');
+    $factory->startSection('zero', '0');
+
+    expect($factory->yieldSection('empty'))->toBe('');
+    expect($factory->yieldSection('zero'))->toBe('0');
+});
+
 it('render template using facade', function (): void {
     View::clearCache();