implemented mandatory escaping (cannot be disabled using |noescape)

Author: dg

src/Latte/Compiler/Escaper.php

@@ -229,6 +229,23 @@ public function escape(string $str): string
 	}
 
 
+	public function escapeMandatory(string $str): string
+	{
+		return match ($this->contentType) {
+			ContentType::Html => match ($this->state) {
+				self::HtmlAttributeQuoted => 'LR\Filters::escapeHtmlChar(' . $str . ', ' . var_export($this->quote, true) . ')',
+				self::HtmlRawText => 'LR\Filters::escapeHtmlRawText(' . $str . ')',
+				default => $str,
+			},
+			ContentType::Xml => match ($this->state) {
+				self::HtmlAttributeQuoted => 'LR\Filters::escapeHtmlChar(' . $str . ', ' . var_export($this->quote, true) . ')',
+				default => $str,
+			},
+			default => $str,
+		};
+	}
+
+
 	public function check(string $str): string
 	{
 		if ($this->isHtmlAttribute() && $this->subState === self::Url) {

src/Latte/Compiler/Nodes/Php/ModifierNode.php

@@ -68,9 +68,9 @@ public function printSimple(PrintContext $context, string $expr): string
 			$expr = $escaper->check($expr);
 		}
 
-		if ($escape) {
-			$expr = $escaper->escape($expr);
-		}
+		$expr = $escape
+			? $escaper->escape($expr)
+			: $escaper->escapeMandatory($expr);
 
 		return $expr;
 	}

src/Latte/Runtime/Filters.php

@@ -100,6 +100,19 @@ public static function escapeHtmlComment($s): string
 	}
 
 
+	/**
+	 * Escapes a certain special character.
+	 */
+	public static function escapeHtmlChar($s, string $char): string
+	{
+		return str_replace(
+			$char,
+			htmlspecialchars($char, ENT_QUOTES | ENT_HTML5),
+			(string) $s,
+		);
+	}
+
+
 	/**
 	 * Escapes string for use everywhere inside XML (except for comments).
 	 */

tests/common/Compiler.noescape.phpt

@@ -0,0 +1,54 @@
+<?php
+
+/**
+ * Test: |noescape
+ */
+
+declare(strict_types=1);
+
+use Tester\Assert;
+
+require __DIR__ . '/../bootstrap.php';
+
+
+$latte = new Latte\Engine;
+$latte->setLoader(new Latte\Loaders\StringLoader);
+
+// html text
+Assert::match(
+	'<p></script></p>',
+	$latte->renderToString('<p>{="</script>"|noescape}</p>'),
+);
+
+// in tag
+Assert::match(
+	'<p foo a=\'a\' b="b">></p>',
+	$latte->renderToString('<p {="foo a=\'a\' b=\"b\">"|noescape}></p>'),
+);
+
+// attribute unquoted values
+Assert::match(
+	'<p title=foo a=\'a\' b="b">></p>',
+	$latte->renderToString('<p title={="foo a=\'a\' b=\"b\">"|noescape}></p>'),
+);
+
+// attribute quoted values
+Assert::match(
+	'<p title="foo a=\'a\' b=&quot;b&quot;>"></p>',
+	$latte->renderToString('<p title="{="foo a=\'a\' b=\"b\">"|noescape}"></p>'),
+);
+
+Assert::match(
+	'<p title=\'foo a=&apos;a&apos; b="b">\'></p>',
+	$latte->renderToString('<p title=\'{="foo a=\'a\' b=\"b\">"|noescape}\'></p>'),
+);
+
+Assert::match(
+	'<p style="foo a=\'a\' b=&quot;b&quot;>"></p>',
+	$latte->renderToString('<p style="{="foo a=\'a\' b=\"b\">"|noescape}"></p>'),
+);
+
+Assert::match(
+	'<p onclick="foo a=\'a\' b=&quot;b&quot;>"></p>',
+	$latte->renderToString('<p onclick="{="foo a=\'a\' b=\"b\">"|noescape}"></p>'),
+);

tests/common/contentType.html.css.phpt

@@ -54,3 +54,9 @@ Assert::match(
 	'<style> a { background: url("\"") } </style>',
 	$latte->renderToString('<style> a { background: url("{=\'"\'}") } </style>'),
 );
+
+// no escape
+Assert::match(
+	'<style><\/style></style>',
+	$latte->renderToString('<style>{="</style>"|noescape}</style>'),
+);

tests/common/contentType.html.html.phpt

@@ -28,6 +28,12 @@ Assert::match(
 	),
 );
 
+// no escape
+Assert::match(
+	'<script type="text/html"><\/script></script>',
+	$latte->renderToString('<script type="text/html">{="</script>"|noescape}</script>'),
+);
+
 // content of <script> is RAWTEXT
 Assert::match(
 	<<<'XX'

tests/common/contentType.html.javascript.phpt

@@ -111,3 +111,9 @@ Assert::match(
 		['foo' => new Html("<div title='</script>'></div>")],
 	),
 );
+
+// no escape
+Assert::match(
+	'<script><\/script></script>',
+	$latte->renderToString('<script>{="</script>"|noescape}</script>'),
+);

tests/common/contentType.html.unknown.phpt

@@ -28,6 +28,12 @@ Assert::match(
 	),
 );
 
+// no escape
+Assert::match(
+	'<script type="foo"><\/script></script>',
+	$latte->renderToString('<script type="foo">{="</script>"|noescape}</script>'),
+);
+
 // content of <script> is RAWTEXT
 Assert::match(
 	<<<'XX'

tests/common/expected/contentType.xml.html

@@ -61,3 +61,5 @@
 <p val="some&amp;&lt;&gt;&quot;&apos;/chars" val2="`mxss"> </p>
 
 <p onclick="some&amp;&lt;&gt;&quot;&apos;/chars"> </p>
+
+<p title="foo a=\'a\' b=&quot;b&quot;>"></p>

tests/common/expected/contentType.xml.php

@@ -128,6 +128,10 @@ public function main(array $ʟ_args): void
 <p onclick=';
 		echo '"' . LR\Filters::escapeXml($xss) . '"' /* line %d% */;
 		echo '> </p>
+
+<p title="';
+		echo LR\Filters::escapeHtmlChar('foo a=\\\'a\\\' b="b">', '"') /* line %d% */;
+		echo '"></p>
 ';
 	}