Add tests and fix escaping rules so it doesnt cause issues

51094b42 · Jordi Boggiano · 9fb82890 · 51094b42 · 51094b42 · 51094b42
Commit 51094b42 authored Feb 15, 2013 by Jordi Boggiano
Show whitespace changes
Inline Side-by-side

Showing with 36 additions and 3 deletions

Plugin.php lib/Dwoo/Plugin.php +14 -2

a.php lib/plugins/builtin/blocks/a.php +1 -1

BlockTests.php tests/BlockTests.php +21 -0

No files found.
--- a/lib/Dwoo/Plugin.php
+++ b/lib/Dwoo/Plugin.php
@@ -59,9 +59,10 @@ abstract class Dwoo_Plugin
 	 *
 	 * @param array $params an array of attributeName=>value items that will be compiled to be ready for inclusion in a php string
 	 * @param string $delim the string delimiter you want to use (defaults to ')
+	 * @param Dwoo_Compiler $compiler the compiler instance (optional for BC, but recommended to pass it for proper escaping behavior)
 	 * @return string
 	 */
-	public static function paramsToAttributes(array $params, $delim = '\'')
+	public static function paramsToAttributes(array $params, $delim = '\'', Dwoo_Compiler $compiler = null)
 	{
 		if (isset($params['*'])) {
 			$params = array_merge($params, $params['*']);
@@ -76,8 +77,19 @@ abstract class Dwoo_Plugin
 			} elseif (substr($val, 0, 1) === $delim && substr($val, -1) === $delim) {
 				$out .= str_replace($delim, '\\'.$delim, '"'.substr($val, 1, -1).'"');
 			} else {
+				if (!$compiler) {
+					// disable double encoding since it can not be determined if it was encoded
+					$escapedVal = '.(is_string($tmp2='.$val.') ? htmlspecialchars($tmp2, ENT_QUOTES, $this->charset, false) : $tmp2).';
+				} elseif (!$compiler->getAutoEscape() || false === strpos($val, 'isset($this->scope')) {
+					// escape if auto escaping is disabled, or there was no variable in the string
+					$escapedVal = '.(is_string($tmp2='.$val.') ? htmlspecialchars($tmp2, ENT_QUOTES, $this->charset) : $tmp2).';
+				} else {
+					// print as is
+					$escapedVal = '.'.$val.'.';
+				}
 				$out .= str_replace($delim, '\\'.$delim, '"') .
-					$delim . '.htmlentities(' . $val . ').' . $delim .
+					$delim . $escapedVal . $delim .
 					str_replace($delim, '\\'.$delim, '"');
 			}
 		}

--- a/lib/plugins/builtin/blocks/a.php
+++ b/lib/plugins/builtin/blocks/a.php
@@ -42,7 +42,7 @@ class Dwoo_Plugin_a extends Dwoo_Block_Plugin implements Dwoo_ICompilable_Block
 	{
 		$p = $compiler->getCompiledParams($params);
-		$out = Dwoo_Compiler::PHP_OPEN . 'echo \'<a '.self::paramsToAttributes($p);
+		$out = Dwoo_Compiler::PHP_OPEN . 'echo \'<a '.self::paramsToAttributes($p, "'", $compiler);
 		return $out.'>\';' . Dwoo_Compiler::PHP_CLOSE;
 	}

--- a/tests/BlockTests.php
+++ b/tests/BlockTests.php
@@ -47,6 +47,27 @@ class BlockTests extends PHPUnit_Framework_TestCase
 		$fixCall->init('');
 	}
+	public function testAEscaping()
+	{
+		$data['url'] = 'foo" onclick="alert(document.window)" foo="';
+		$data['var'] = '"';
+		$tpl = new Dwoo_Template_String('{a $url attr="str\"withquotes" attr2="str\'$var"; "text" /}');
+		$tpl->forceCompilation();
+		$this->assertEquals('<a href="foo&quot; onclick=&quot;alert(document.window)&quot; foo=&quot;" attr="str&quot;withquotes" attr2="str&#039;&quot;">text</a>', $this->dwoo->get($tpl, $data, $this->compiler));
+	}
+	public function testAEscapingWithAutoEscape()
+	{
+		$cmp = new Dwoo_Compiler();
+		$cmp->setAutoEscape(true);
+		$data['url'] = 'foo" onclick="alert(document.window)" foo="';
+		$data['var'] = '"';
+		$tpl = new Dwoo_Template_String('{a $url attr="str\"withquotes" attr2="str\'$var"; "text" /}');
+		$tpl->forceCompilation();
+		$this->assertEquals('<a href="foo&quot; onclick=&quot;alert(document.window)&quot; foo=&quot;" attr="str&quot;withquotes" attr2="str\'&quot;">text</a>', $this->dwoo->get($tpl, $data, $cmp));
+	}
 	public function testAutoEscape()
 	{
 		$cmp = new Dwoo_Compiler();