properly mask escape sequences in quoted strings

symfony · Sep 4, 2014 · d5e769a · d5e769a
1 parent 80536d0
commit d5e769a
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/src/Symfony/Component/Yaml/Escaper.php b/src/Symfony/Component/Yaml/Escaper.php
@@ -26,13 +26,13 @@ class Escaper
     // first to ensure proper escaping because str_replace operates iteratively
     // on the input arrays. This ordering of the characters avoids the use of strtr,
     // which performs more slowly.
-    private static $escapees = array('\\\\', '\\"', '"',
+    private static $escapees = array('\\', '\\\\', '\\"', '"',
                                      "\x00",  "\x01",  "\x02",  "\x03",  "\x04",  "\x05",  "\x06",  "\x07",
                                      "\x08",  "\x09",  "\x0a",  "\x0b",  "\x0c",  "\x0d",  "\x0e",  "\x0f",
                                      "\x10",  "\x11",  "\x12",  "\x13",  "\x14",  "\x15",  "\x16",  "\x17",
                                      "\x18",  "\x19",  "\x1a",  "\x1b",  "\x1c",  "\x1d",  "\x1e",  "\x1f",
                                      "\xc2\x85", "\xc2\xa0", "\xe2\x80\xa8", "\xe2\x80\xa9");
-    private static $escaped  = array('\\"', '\\\\', '\\"',
+    private static $escaped  = array('\\\\', '\\"', '\\\\', '\\"',
                                      "\\0",   "\\x01", "\\x02", "\\x03", "\\x04", "\\x05", "\\x06", "\\a",
                                      "\\b",   "\\t",   "\\n",   "\\v",   "\\f",   "\\r",   "\\x0e", "\\x0f",
                                      "\\x10", "\\x11", "\\x12", "\\x13", "\\x14", "\\x15", "\\x16", "\\x17",

diff --git a/src/Symfony/Component/Yaml/Tests/DumperTest.php b/src/Symfony/Component/Yaml/Tests/DumperTest.php
@@ -199,6 +199,29 @@ public function testObjectSupportDisabledWithExceptions()
     {
         $this->dumper->dump(array('foo' => new A(), 'bar' => 1), 0, 0, true, false);
     }
+
+    /**
+     * @dataProvider getEscapeSequences
+     */
+    public function testEscapedEscapeSequencesInQuotedScalar($escapeSequence)
+    {
+        $this->assertEquals('"\t\\'.$escapeSequence.'"', $this->dumper->dump("\t".$escapeSequence));
+    }
+
+    public function getEscapeSequences()
+    {
+        return array(
+            'null' => array('\0'),
+            'bell' => array('\a'),
+            'backspace' => array('\b'),
+            'horizontal-tab' => array('\t'),
+            'line-feed' => array('\n'),
+            'vertical-tab' => array('\v'),
+            'form-feed' => array('\f'),
+            'carriage-return' => array('\r'),
+            'escape' => array('\e'),
+        );
+    }
 }
 
 class A