Filter |noescape preserves some escaping in some contexts

dg · dg · commit 13436ee3203e · 2022-09-13T00:35:05.000+02:00
diff --git a/src/Latte/Compiler/Escaper.php b/src/Latte/Compiler/Escaper.php
@@ -180,6 +180,23 @@ public function escape(string $str): string
 	}
 
 
+	public function escapeRequisite(string $str): string
+	{
+		return match ($this->contentType) {
+			ContentType::Html => match ($this->state) {
+				self::HtmlAttribute => $this->quote ? 'LR\Filters::escapeHtmlChar(' . $str . ', ' . var_export($this->quote, true) . ')' : $str,
+				self::HtmlRawText => 'LR\Filters::escapeHtmlRawText(' . $str . ')',
+				default => $str,
+			},
+			ContentType::Xml => match ($this->state) {
+				self::HtmlAttribute => $this->quote ? 'LR\Filters::escapeHtmlChar(' . $str . ', ' . var_export($this->quote, true) . ')' : $str,
+				default => $str,
+			},
+			default => $str,
+		};
+	}
+
+
 	public function check(string $str): string
 	{
 		if ($this->state === self::HtmlAttribute && $this->subType === self::Url) {
diff --git a/src/Latte/Compiler/Nodes/Php/ModifierNode.php b/src/Latte/Compiler/Nodes/Php/ModifierNode.php
@@ -68,9 +68,9 @@ public function printSimple(PrintContext $context, string $expr): string
 			$expr = $escaper->check($expr);
 		}
 
-		if ($escape) {
-			$expr = $escaper->escape($expr);
-		}
+		$expr = $escape
+			? $escaper->escape($expr)
+			: $escaper->escapeRequisite($expr);
 
 		return $expr;
 	}
diff --git a/src/Latte/Runtime/Filters.php b/src/Latte/Runtime/Filters.php
@@ -100,6 +100,19 @@ public static function escapeHtmlComment($s): string
 	}
 
 
+	/**
+	 * Escapes a certain special character.
+	 */
+	public static function escapeHtmlChar($s, string $char): string
+	{
+		return str_replace(
+			$char,
+			htmlspecialchars($char, ENT_QUOTES | ENT_HTML5),
+			(string) $s,
+		);
+	}
+
+
 	/**
 	 * Escapes string for use everywhere inside XML (except for comments).
 	 */
diff --git a/tests/common/Compiler.noescape.phpt b/tests/common/Compiler.noescape.phpt
@@ -0,0 +1,71 @@
+<?php
+
+/**
+ * Test: |noescape
+ */
+
+declare(strict_types=1);
+
+use Tester\Assert;
+
+
+require __DIR__ . '/../bootstrap.php';
+
+
+$latte = new Latte\Engine;
+$latte->setLoader(new Latte\Loaders\StringLoader);
+
+// html text
+Assert::match(
+	'<p></script></p>',
+	$latte->renderToString('<p>{="</script>"|noescape}</p>'),
+);
+
+// raw text
+Assert::match(
+	'<script><\/script></script>',
+	$latte->renderToString('<script>{="</script>"|noescape}</script>'),
+);
+
+Assert::match(
+	'<style><\/script></style>',
+	$latte->renderToString('<style>{="</script>"|noescape}</style>'),
+);
+
+Assert::match(
+	'<script type="text/html"><\/script></script>',
+	$latte->renderToString('<script type="text/html">{="</script>"|noescape}</script>'),
+);
+
+// in tag
+Assert::match(
+	'<p foo a=\'a\' b="b">></p>',
+	$latte->renderToString('<p {="foo a=\'a\' b=\"b\">"|noescape}></p>'),
+);
+
+// attribute unquoted values
+Assert::match(
+	'<p title=foo a=\'a\' b="b">></p>',
+	$latte->renderToString('<p title={="foo a=\'a\' b=\"b\">"|noescape}></p>'),
+);
+
+// attribute quoted values
+Assert::match(
+	'<p title="foo a=\'a\' b=&quot;b&quot;>"></p>',
+	$latte->renderToString('<p title="{="foo a=\'a\' b=\"b\">"|noescape}"></p>'),
+);
+
+Assert::match(
+	'<p title=\'foo a=&apos;a&apos; b="b">\'></p>',
+	$latte->renderToString('<p title=\'{="foo a=\'a\' b=\"b\">"|noescape}\'></p>'),
+);
+
+Assert::match(
+	'<p style="foo a=\'a\' b=&quot;b&quot;>"></p>',
+	$latte->renderToString('<p style="{="foo a=\'a\' b=\"b\">"|noescape}"></p>'),
+);
+
+Assert::match(
+	'<p onclick="foo a=\'a\' b=&quot;b&quot;>"></p>',
+	$latte->renderToString('<p onclick="{="foo a=\'a\' b=\"b\">"|noescape}"></p>'),
+);
diff --git a/tests/filters/escapeHtmlChar.phpt b/tests/filters/escapeHtmlChar.phpt
@@ -0,0 +1,22 @@
+<?php
+
+/**
+ * Test: Latte\Runtime\Filters::escapeHtmlChar
+ */
+
+declare(strict_types=1);
+
+use Latte\Runtime\Filters;
+use Tester\Assert;
+
+require __DIR__ . '/../bootstrap.php';
+
+
+Assert::same('', Filters::escapeHtmlChar(null, '"'));
+Assert::same('', Filters::escapeHtmlChar('', '"'));
+Assert::same('1', Filters::escapeHtmlChar(1, '"'));
+Assert::same('string', Filters::escapeHtmlChar('string', '"'));
+Assert::same('< & \' &quot; >', Filters::escapeHtmlChar('< & \' " >', '"'));
+Assert::same('< & &apos; " >', Filters::escapeHtmlChar('< & \' " >', "'"));
+Assert::same('< & \' " &gt;', Filters::escapeHtmlChar('< & \' " >', '>'));
+Assert::same('&quot;', Filters::escapeHtmlChar('&quot;', '"'));

Original file line number	Diff line number	Diff line change
`@@ -68,9 +68,9 @@ public function printSimple(PrintContext $context, string $expr): string`
`68`	`68`	`$expr = $escaper->check($expr);`
`69`	`69`	`}`
`70`	`70`
`71`		`- if ($escape) {`
`72`		`- $expr = $escaper->escape($expr);`
`73`		`- }`
	`71`	`+ $expr = $escape`
	`72`	`+ ? $escaper->escape($expr)`
	`73`	`+ : $escaper->escapeRequisite($expr);`
`74`	`74`
`75`	`75`	`return $expr;`
`76`	`76`	`}`