XML/HTML entities in attributes will no longer be preserved when rend…

…ering (#353) This applies the previous commit's XSS fix to all custom attributes
thephpleague · Mar 21, 2019 · 6f16c6e · 6f16c6e · glensc · Mar 28, 2019
1 parent f1453b9
commit 6f16c6e
Show file tree

Hide file tree

Showing 14 changed files with 17 additions and 13 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@ Updates should follow the [Keep a CHANGELOG](http://keepachangelog.com/) princip
 
 ## [Unreleased][unreleased]
 
+### Changed
+
+ - XML/HTML entities in attributes will no longer be preserved when rendering (#353)
+
 ### Fixed
 
  - Fix XSS vulnerability caused by improper preservation of entities when rendering (#353)

diff --git a/src/Block/Renderer/BlockQuoteRenderer.php b/src/Block/Renderer/BlockQuoteRenderer.php
@@ -37,7 +37,7 @@ public function render(AbstractBlock $block, ElementRendererInterface $htmlRende
 
         $attrs = [];
         foreach ($block->getData('attributes', []) as $key => $value) {
-            $attrs[$key] = Xml::escape($value, true);
+            $attrs[$key] = Xml::escape($value);
         }
 
         $filling = $htmlRenderer->renderBlocks($block->children());

diff --git a/src/Block/Renderer/FencedCodeRenderer.php b/src/Block/Renderer/FencedCodeRenderer.php
@@ -37,7 +37,7 @@ public function render(AbstractBlock $block, ElementRendererInterface $htmlRende
 
         $attrs = [];
         foreach ($block->getData('attributes', []) as $key => $value) {
-            $attrs[$key] = Xml::escape($value, true);
+            $attrs[$key] = Xml::escape($value);
         }
 
         $infoWords = $block->getInfoWords();

diff --git a/src/Block/Renderer/HeadingRenderer.php b/src/Block/Renderer/HeadingRenderer.php
@@ -39,7 +39,7 @@ public function render(AbstractBlock $block, ElementRendererInterface $htmlRende
 
         $attrs = [];
         foreach ($block->getData('attributes', []) as $key => $value) {
-            $attrs[$key] = Xml::escape($value, true);
+            $attrs[$key] = Xml::escape($value);
         }
 
         return new HtmlElement($tag, $attrs, $htmlRenderer->renderInlines($block->children()));

diff --git a/src/Block/Renderer/IndentedCodeRenderer.php b/src/Block/Renderer/IndentedCodeRenderer.php
@@ -37,7 +37,7 @@ public function render(AbstractBlock $block, ElementRendererInterface $htmlRende
 
         $attrs = [];
         foreach ($block->getData('attributes', []) as $key => $value) {
-            $attrs[$key] = Xml::escape($value, true);
+            $attrs[$key] = Xml::escape($value);
         }
 
         return new HtmlElement(

diff --git a/src/Block/Renderer/ListBlockRenderer.php b/src/Block/Renderer/ListBlockRenderer.php
@@ -41,7 +41,7 @@ public function render(AbstractBlock $block, ElementRendererInterface $htmlRende
 
         $attrs = [];
         foreach ($block->getData('attributes', []) as $key => $value) {
-            $attrs[$key] = Xml::escape($value, true);
+            $attrs[$key] = Xml::escape($value);
         }
 
         if ($listData->start !== null && $listData->start !== 1) {

diff --git a/src/Block/Renderer/ListItemRenderer.php b/src/Block/Renderer/ListItemRenderer.php
@@ -45,7 +45,7 @@ public function render(AbstractBlock $block, ElementRendererInterface $htmlRende
 
         $attrs = [];
         foreach ($block->getData('attributes', []) as $key => $value) {
-            $attrs[$key] = Xml::escape($value, true);
+            $attrs[$key] = Xml::escape($value);
         }
 
         $li = new HtmlElement('li', $attrs, $contents);

diff --git a/src/Block/Renderer/ParagraphRenderer.php b/src/Block/Renderer/ParagraphRenderer.php
@@ -41,7 +41,7 @@ public function render(AbstractBlock $block, ElementRendererInterface $htmlRende
 
         $attrs = [];
         foreach ($block->getData('attributes', []) as $key => $value) {
-            $attrs[$key] = Xml::escape($value, true);
+            $attrs[$key] = Xml::escape($value);
         }
 
         return new HtmlElement('p', $attrs, $htmlRenderer->renderInlines($block->children()));

diff --git a/src/Block/Renderer/ThematicBreakRenderer.php b/src/Block/Renderer/ThematicBreakRenderer.php
@@ -37,7 +37,7 @@ public function render(AbstractBlock $block, ElementRendererInterface $htmlRende
 
         $attrs = [];
         foreach ($block->getData('attributes', []) as $key => $value) {
-            $attrs[$key] = Xml::escape($value, true);
+            $attrs[$key] = Xml::escape($value);
         }
 
         return new HtmlElement('hr', $attrs, '', true);

diff --git a/src/Inline/Renderer/CodeRenderer.php b/src/Inline/Renderer/CodeRenderer.php
@@ -36,7 +36,7 @@ public function render(AbstractInline $inline, ElementRendererInterface $htmlRen
 
         $attrs = [];
         foreach ($inline->getData('attributes', []) as $key => $value) {
-            $attrs[$key] = Xml::escape($value, true);
+            $attrs[$key] = Xml::escape($value);
         }
 
         return new HtmlElement('code', $attrs, Xml::escape($inline->getContent()));

diff --git a/src/Inline/Renderer/EmphasisRenderer.php b/src/Inline/Renderer/EmphasisRenderer.php
@@ -36,7 +36,7 @@ public function render(AbstractInline $inline, ElementRendererInterface $htmlRen
 
         $attrs = [];
         foreach ($inline->getData('attributes', []) as $key => $value) {
-            $attrs[$key] = Xml::escape($value, true);
+            $attrs[$key] = Xml::escape($value);
         }
 
         return new HtmlElement('em', $attrs, $htmlRenderer->renderInlines($inline->children()));

diff --git a/src/Inline/Renderer/ImageRenderer.php b/src/Inline/Renderer/ImageRenderer.php
@@ -44,7 +44,7 @@ public function render(AbstractInline $inline, ElementRendererInterface $htmlRen
 
         $attrs = [];
         foreach ($inline->getData('attributes', []) as $key => $value) {
-            $attrs[$key] = Xml::escape($value, true);
+            $attrs[$key] = Xml::escape($value);
         }
 
         $forbidUnsafeLinks = $this->config->getConfig('safe') || !$this->config->getConfig('allow_unsafe_links');

diff --git a/src/Inline/Renderer/LinkRenderer.php b/src/Inline/Renderer/LinkRenderer.php
@@ -44,7 +44,7 @@ public function render(AbstractInline $inline, ElementRendererInterface $htmlRen
 
         $attrs = [];
         foreach ($inline->getData('attributes', []) as $key => $value) {
-            $attrs[$key] = Xml::escape($value, true);
+            $attrs[$key] = Xml::escape($value);
         }
 
         $forbidUnsafeLinks = $this->config->getConfig('safe') || !$this->config->getConfig('allow_unsafe_links');

diff --git a/src/Inline/Renderer/StrongRenderer.php b/src/Inline/Renderer/StrongRenderer.php
@@ -36,7 +36,7 @@ public function render(AbstractInline $inline, ElementRendererInterface $htmlRen
 
         $attrs = [];
         foreach ($inline->getData('attributes', []) as $key => $value) {
-            $attrs[$key] = Xml::escape($value, true);
+            $attrs[$key] = Xml::escape($value);
         }
 
         return new HtmlElement('strong', $attrs, $htmlRenderer->renderInlines($inline->children()));