allowed including HTML in <script type=html>

dg · dg · commit 01e2d7ff1304 · 2023-03-01T09:23:50.000+01:00
diff --git a/src/Latte/Compiler/Escaper.php b/src/Latte/Compiler/Escaper.php
@@ -70,6 +70,7 @@ final class Escaper
 			self::HtmlAttributeQuoted . '+' . self::Url => 'convertHtmlToHtmlAttr',
 			self::HtmlComment => 'escapeHtmlComment',
 			self::HtmlAttributeUnquoted => 'convertHtmlToUnquotedAttr',
+			self::HtmlRawText . '+' . self::HtmlText => 'convertHtmlToHtmlRawText',
 		],
 		self::HtmlAttributeQuoted => [
 			self::HtmlText => 'convertHtmlToHtmlAttr',
diff --git a/src/Latte/Runtime/Filters.php b/src/Latte/Runtime/Filters.php
@@ -191,6 +191,15 @@ public static function convertJSToHtmlRawText($s): string
 	}
 
 
+	/**
+	 * Converts HTML for usage in <script type=text/html>
+	 */
+	public static function convertHtmlToHtmlRawText(string $s): string
+	{
+		return preg_replace('#<(/?)script#i', '&lt;$1script', $s);
+	}
+
+
 	/**
 	 * Converts ... to ...
 	 */
diff --git a/tests/common/contentType.compatibility.phpt b/tests/common/contentType.compatibility.phpt
@@ -277,7 +277,7 @@ Assert::same('<!-- </script>-->', $latte->renderToString('context6'));
 
 $latte = new Latte\Engine;
 $latte->setLoader(new Latte\Loaders\StringLoader([
-	'html.latte' => '<hr> " &quot; &lt;',
+	'html.latte' => '<hr><script></script> " &quot; &lt;',
 
 	'context1' => '<p>{include html.latte}</p>',
 	'context1a' => '<p>{include html.latte|noescape}</p>',
@@ -289,37 +289,40 @@ $latte->setLoader(new Latte\Loaders\StringLoader([
 	'context2c' => '<p title="{include html.latte|stripHtml|upper|noescape}"></p>',
 	'context3' => '<p title={include html.latte}></p>',
 	'context4' => '<script>{include html.latte}</script>',
+	'context4a' => '<script type="text/html">{include html.latte}</script>',
 	'context5' => '<style>{include html.latte}</style>',
 	'context6' => '<!--{include html.latte}-->',
 ]));
 
-Assert::same('<p><hr> " &quot; &lt;</p>', $latte->renderToString('context1'));
+Assert::same('<p><hr><script></script> " &quot; &lt;</p>', $latte->renderToString('context1'));
 
-Assert::same('<p><hr> " &quot; &lt;</p>', $latte->renderToString('context1a'));
+Assert::same('<p><hr><script></script> " &quot; &lt;</p>', $latte->renderToString('context1a'));
 Assert::same('<p> " " &lt;</p>', $latte->renderToString('context1b'));
 Assert::same('<p> " " <</p>', $latte->renderToString('context1c'));
 
-Assert::same('<p title="&lt;hr&gt; &quot; &quot; &lt;"></p>', $latte->renderToString('context2'));
+Assert::same('<p title="&lt;hr&gt;&lt;script&gt;&lt;/script&gt; &quot; &quot; &lt;"></p>', $latte->renderToString('context2'));
 
-Assert::same('<p title="<hr> " &quot; &lt;"></p>', $latte->renderToString('context2a'));
+Assert::same('<p title="<hr><script></script> " &quot; &lt;"></p>', $latte->renderToString('context2a'));
 Assert::same('<p title=" &quot; &quot; &lt;"></p>', $latte->renderToString('context2b'));
 Assert::same('<p title=" " " <"></p>', $latte->renderToString('context2c'));
 
-Assert::same('<p title="&lt;hr&gt; &quot; &quot; &lt;"></p>', $latte->renderToString('context3'));
+Assert::same('<p title="&lt;hr&gt;&lt;script&gt;&lt;/script&gt; &quot; &quot; &lt;"></p>', $latte->renderToString('context3'));
 
 Assert::exception(
 	fn() => $latte->renderToString('context4'),
 	Latte\RuntimeException::class,
 	"Including 'html.latte' with content type HTML into incompatible type HTML/RAW+JS.",
 );
 
+Assert::same('<script type="text/html"><hr>&lt;script>&lt;/script> " &quot; &lt;</script>', $latte->renderToString('context4a'));
+
 Assert::exception(
 	fn() => $latte->renderToString('context5'),
 	Latte\RuntimeException::class,
 	"Including 'html.latte' with content type HTML into incompatible type HTML/RAW+CSS.",
 );
 
-Assert::same('<!--<hr> " &quot; &lt;-->', $latte->renderToString('context6'));
+Assert::same('<!--<hr><script></script> " &quot; &lt;-->', $latte->renderToString('context6'));
 
 
 
diff --git a/tests/common/contentType.html.html.phpt b/tests/common/contentType.html.html.phpt
@@ -30,6 +30,12 @@ Assert::match(
 	),
 );
 
+// include
+Assert::match(
+	' <script type="text/html">&lt;script>&lt;/script></script>',
+	$latte->renderToString('{define a}<script></script>{/define} <script type="text/html">{include a}</script>'),
+);
+
 // content of <script> is RAWTEXT
 Assert::match(
 	<<<'XX'
diff --git a/tests/filters/convertHtmlToHtmlRawText.phpt b/tests/filters/convertHtmlToHtmlRawText.phpt
@@ -0,0 +1,25 @@
+<?php
+
+/**
+ * Test: Latte\Runtime\Filters::convertHtmlToHtmlRawText
+ */
+
+declare(strict_types=1);
+
+use Latte\Runtime\Filters;
+use Tester\Assert;
+
+require __DIR__ . '/../bootstrap.php';
+
+
+Assert::same('', Filters::convertHtmlToHtmlRawText(''));
+Assert::same('string', Filters::convertHtmlToHtmlRawText('string'));
+Assert::same('< & \' " >', Filters::convertHtmlToHtmlRawText('< & \' " >'));
+Assert::same('</p>', Filters::convertHtmlToHtmlRawText('</p>'));
+Assert::same('foo </STYLE>', Filters::convertHtmlToHtmlRawText('foo </STYLE>'));
+Assert::same('foo &lt;script>', Filters::convertHtmlToHtmlRawText('foo <script>'));
+Assert::same('foo &lt;/script>', Filters::convertHtmlToHtmlRawText('foo </script>'));
+
+// invalid UTF-8
+Assert::same("foo \u{D800} bar", Filters::convertHtmlToHtmlRawText("foo \u{D800} bar")); // invalid codepoint high surrogates
+Assert::same("foo \xE3\x80\x22 bar", Filters::convertHtmlToHtmlRawText("foo \xE3\x80\x22 bar")); // stripped UTF
