In <script type=unknown> are not escaped HTML

dg · dg · commit 0d7d933b819a · 2023-03-01T09:23:49.000+01:00
diff --git a/src/Latte/Compiler/Escaper.php b/src/Latte/Compiler/Escaper.php
@@ -133,7 +133,8 @@ public function enterHtmlText(?ElementNode $node): void
 			$this->subState = match (true) {
 				$name === 'style' => self::Css,
 				self::isJSScript($node) => self::JavaScript,
-				default => self::HtmlText,
+				self::isHtmlScript($node) => self::HtmlText,
+				default => self::Text,
 			};
 		} else {
 			$this->state = self::HtmlText;
@@ -204,6 +205,7 @@ public function escape(string $str): string
 				self::HtmlComment => 'LR\Filters::escapeHtmlComment(' . $str . ')',
 				self::HtmlBogusTag => 'LR\Filters::escapeHtml(' . $str . ')',
 				self::HtmlRawText => match ($this->subState) {
+					self::Text => 'LR\Filters::convertJSToHtmlRawText(' . $str . ')', // sanitization, escaping is not possible
 					self::HtmlText => 'LR\Filters::escapeHtmlRawTextHtml(' . $str . ')',
 					self::JavaScript => 'LR\Filters::escapeJs(' . $str . ')',
 					self::Css => 'LR\Filters::escapeCss(' . $str . ')',
@@ -261,4 +263,13 @@ public static function isJSScript(ElementNode $el): bool
 			&& ($type === true || $type === null || $type === ''
 				|| is_string($type) && preg_match('#((application|text)/(((x-)?java|ecma|j|live)script|json)|text/plain|module|importmap)$#Ai', $type));
 	}
+
+
+	private static function isHtmlScript(ElementNode $el): bool
+	{
+		$type = $el->getAttribute('type');
+		return strcasecmp($el->name, 'script') === 0
+			&& is_string($type) && preg_match('#text/((x-)?template|html)$#Ai', $type);
+
+	}
 }
diff --git a/tests/common/contentType.html.unknown.phpt b/tests/common/contentType.html.unknown.phpt
@@ -0,0 +1,86 @@
+<?php
+
+/**
+ * Test: Unknown type of <script>
+ */
+
+declare(strict_types=1);
+
+use Latte\Runtime\Html;
+use Tester\Assert;
+
+require __DIR__ . '/../bootstrap.php';
+
+
+$latte = new Latte\Engine;
+$latte->setLoader(new Latte\Loaders\StringLoader);
+
+// escaping of string
+Assert::match(
+	'<script type="foo"> <div title=" <>\' ">  <>\' </div> </script>',
+	$latte->renderToString('<script type="foo"> <div title=" {="<>\'"} ">  {="<>\'"} </div> </script>'),
+);
+
+// escaping of Html object
+Assert::match(
+	'<script type="foo"> <div title=\'<\/script>\'></div> </script>',
+	$latte->renderToString(
+		'<script type="foo"> {$foo} </script>',
+		['foo' => new Html("<div title='</script>'></div>")],
+	),
+);
+
+// include
+Assert::exception(
+	fn() => $latte->renderToString('{define a}<script></script>{/define} <script type="foo">{include a}</script>'),
+	Latte\RuntimeException::class,
+	'Including block a with content type HTML into incompatible type HTML/RAW+TEXT.',
+);
+
+// content of <script> is RAWTEXT
+Assert::match(
+	<<<'XX'
+			<script type="foo">
+			<div n:foreach="[a, b] as $i">def</div>
+			</script>
+			<div>a</div>
+			<div>b</div>
+
+		XX,
+	$latte->renderToString(
+		<<<'XX'
+
+				{var $i = def}
+				<script type="foo">
+				<div n:foreach="[a, b] as $i">{$i}</div>
+				</script>
+				<div n:foreach="[a, b] as $i">{$i}</div>
+
+			XX,
+	),
+);
+
+// content of <script> changed to html
+Assert::match(
+	<<<'XX'
+			<script type="foo">
+			<div>a</div>
+			<div>b</div>
+			</script>
+			<div>a</div>
+			<div>b</div>
+
+		XX,
+	$latte->renderToString(
+		<<<'XX'
+
+				{var $i = def}
+				<script type="foo">
+				{contentType html}
+				<div n:foreach="[a, b] as $i">{$i}</div>
+				</script>
+				<div n:foreach="[a, b] as $i">{$i}</div>
+
+			XX,
+	),
+);
