From 134e7074ce0712fd68fb7116cea8601b53b693a9 Mon Sep 17 00:00:00 2001
From: Simon Wisselink <s.wisselink@iwink.nl>
Date: Thu, 21 Sep 2023 23:52:45 +0200
Subject: [PATCH] Do not auto-html-escape custom function results. Fixes #906
 This behavior is under-defined though. This requires some clear
 documentation.

---
 src/Compiler/Template.php                     |  2 +-
 .../A_Core/AutoEscape/AutoEscapeTest.php      | 31 +++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/src/Compiler/Template.php b/src/Compiler/Template.php
index 03ee51102..95eeb932f 100644
--- a/src/Compiler/Template.php
+++ b/src/Compiler/Template.php
@@ -1140,7 +1140,7 @@ private function compileTag2($tag, $args, $parameter) {
 		if ($this->smarty->getFunctionHandler($base_tag)) {
 			if (!isset($this->smarty->security_policy) || $this->smarty->security_policy->isTrustedTag($base_tag, $this)) {
 				return (new \Smarty\Compile\PrintExpressionCompiler())->compile(
-					[],
+					['nofilter'], // functions are never auto-escaped
 					$this,
 					['value' =>	$this->compileFunctionCall($base_tag, $args, $parameter)]
 				);
diff --git a/tests/UnitTests/A_Core/AutoEscape/AutoEscapeTest.php b/tests/UnitTests/A_Core/AutoEscape/AutoEscapeTest.php
index f8ea54d59..f26f0f934 100644
--- a/tests/UnitTests/A_Core/AutoEscape/AutoEscapeTest.php
+++ b/tests/UnitTests/A_Core/AutoEscape/AutoEscapeTest.php
@@ -30,4 +30,35 @@ public function testAutoEscape()
         $tpl->assign('foo', '<a@b.c>');
         $this->assertEquals("&lt;a@b.c&gt;", $this->smarty->fetch($tpl));
     }
+
+    /**
+     * test 'escapeHtml' property
+     * @group issue906
+     */
+    public function testAutoEscapeDoesNotEscapeFunctionPlugins()
+    {
+        $this->smarty->registerPlugin(
+            \Smarty\Smarty::PLUGIN_FUNCTION,
+            'horizontal_rule',
+            function ($params, $smarty)	{ return "<hr>"; }
+        );
+        $tpl = $this->smarty->createTemplate('eval:{horizontal_rule}');
+        $this->assertEquals("<hr>", $this->smarty->fetch($tpl));
+    }
+
+    /**
+     * test 'escapeHtml' property
+     * @group issue906
+     */
+    public function testAutoEscapeDoesNotEscapeBlockPlugins()
+    {
+        $this->smarty->registerPlugin(
+            \Smarty\Smarty::PLUGIN_BLOCK,
+            'paragraphify',
+            function ($params, $content)	{ return $content == null ? null :  "<p>".$content."</p>"; }
+        );
+        $tpl = $this->smarty->createTemplate('eval:{paragraphify}hi{/paragraphify}');
+        $this->assertEquals("<p>hi</p>", $this->smarty->fetch($tpl));
+    }
+
 }