Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix incorrect code when escape_html=true #930

Merged
merged 1 commit into from
Feb 5, 2024

Conversation

wxiaoguang
Copy link
Contributor

@wxiaoguang wxiaoguang commented Jan 26, 2024

Fix #928

When setting escape_html=true, the following code:

{$foo+$bar}

becomes:

<?php echo htmlspecialchars((string) $_smarty_tpl->tpl_vars['foo']->value+$_smarty_tpl->tpl_vars['bar']->value, ENT_QUOTES, 'UTF-8');?>

The code: (string) $a + $b is not correct, it should be (string) ($a + $b).

@wxiaoguang
Copy link
Contributor Author

Hi @wisskid, is there any interest in this fix? 4.x also needs this fix IMO.

@wisskid
Copy link
Contributor

wisskid commented Feb 5, 2024

I think so. Can you clarify the actual error this causes?

@wxiaoguang
Copy link
Contributor Author

The function: htmlspecialchars(string $string, ....), the first argument's type is string (PHP is more and more strict about typing)

But {$foo+$bar} would result in non-string type:

$ php -r 'echo gettype( (string)1+2 );'
integer%

So, it needs to use htmlspecialchars((string) ({$output}), to make sure the type is string:

$ php -r 'echo gettype( (string)(1+2) );'
string%

@wisskid wisskid merged commit 1820e87 into smarty-php:master Feb 5, 2024
11 checks passed
@wxiaoguang wxiaoguang deleted the fix-escape-5.0 branch February 5, 2024 13:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

escape_html generates incorrect php code
2 participants