implemented mandatory escaping (cannot be disabled using |noescape)

Author: dg

src/Latte/Compiler/Escaper.php

@@ -230,6 +230,27 @@ public function escape(string $str): string
 	}
 
 
+	public function escapeMandatory(string $str): string
+	{
+		$quote = var_export($this->quote, true);
+		return match ($this->contentType) {
+			ContentType::Html => match ($this->state) {
+				self::HtmlAttributeQuoted => "LR\\Filters::escapeHtmlChar($str, $quote)",
+				self::HtmlRawText => match ($this->subState) {
+					self::HtmlText => 'LR\Filters::convertHtmlToHtmlRawText(' . $str . ')',
+					default => "LR\\Filters::convertJSToHtmlRawText($str)",
+				},
+				default => $str,
+			},
+			ContentType::Xml => match ($this->state) {
+				self::HtmlAttributeQuoted => "LR\\Filters::escapeHtmlChar($str, $quote)",
+				default => $str,
+			},
+			default => $str,
+		};
+	}
+
+
 	public function check(string $str): string
 	{
 		if ($this->isHtmlAttribute() && $this->subState === self::Url) {

src/Latte/Compiler/Nodes/Php/ModifierNode.php

@@ -68,9 +68,9 @@ public function printSimple(PrintContext $context, string $expr): string
 			$expr = $escaper->check($expr);
 		}
 
-		if ($escape) {
-			$expr = $escaper->escape($expr);
-		}
+		$expr = $escape
+			? $escaper->escape($expr)
+			: $escaper->escapeMandatory($expr);
 
 		return $expr;
 	}

src/Latte/Runtime/Filters.php

@@ -100,6 +100,19 @@ public static function escapeHtmlComment($s): string
 	}
 
 
+	/**
+	 * Escapes a certain special character.
+	 */
+	public static function escapeHtmlChar($s, string $char): string
+	{
+		return str_replace(
+			$char,
+			htmlspecialchars($char, ENT_QUOTES | ENT_HTML5),
+			(string) $s,
+		);
+	}
+
+
 	/**
 	 * Escapes string for use everywhere inside XML (except for comments and tags).
 	 */

tests/common/Compiler.noescape.phpt

@@ -0,0 +1,60 @@
+<?php
+
+/**
+ * Test: |noescape
+ */
+
+declare(strict_types=1);
+
+use Tester\Assert;
+
+require __DIR__ . '/../bootstrap.php';
+
+
+$latte = new Latte\Engine;
+$latte->setLoader(new Latte\Loaders\StringLoader);
+
+// html text
+Assert::match(
+	'<p></script></p>',
+	$latte->renderToString('<p>{="</script>"|noescape}</p>'),
+);
+
+// in tag
+Assert::match(
+	'<p foo a=\'a\' b="b">></p>',
+	$latte->renderToString('<p {="foo a=\'a\' b=\"b\">"|noescape}></p>'),
+);
+
+// in bogus tag
+Assert::match(
+	'<!doctype foo a=\'a\' b="b">></p>',
+	$latte->renderToString('<!doctype {="foo a=\'a\' b=\"b\">"|noescape}></p>'),
+);
+
+// attribute unquoted values
+Assert::match(
+	'<p title=foo a=\'a\' b="b">></p>',
+	$latte->renderToString('<p title={="foo a=\'a\' b=\"b\">"|noescape}></p>'),
+);
+
+// attribute quoted values
+Assert::match(
+	'<p title="foo a=\'a\' b=&quot;b&quot;>"></p>',
+	$latte->renderToString('<p title="{="foo a=\'a\' b=\"b\">"|noescape}"></p>'),
+);
+
+Assert::match(
+	'<p title=\'foo a=&apos;a&apos; b="b">\'></p>',
+	$latte->renderToString('<p title=\'{="foo a=\'a\' b=\"b\">"|noescape}\'></p>'),
+);
+
+Assert::match(
+	'<p style="foo a=\'a\' b=&quot;b&quot;>"></p>',
+	$latte->renderToString('<p style="{="foo a=\'a\' b=\"b\">"|noescape}"></p>'),
+);
+
+Assert::match(
+	'<p onclick="foo a=\'a\' b=&quot;b&quot;>"></p>',
+	$latte->renderToString('<p onclick="{="foo a=\'a\' b=\"b\">"|noescape}"></p>'),
+);

tests/common/contentType.html.css.phpt

@@ -54,3 +54,9 @@ Assert::match(
 	'<style> a { background: url("\"") } </style>',
 	$latte->renderToString('<style> a { background: url("{=\'"\'}") } </style>'),
 );
+
+// no escape
+Assert::match(
+	'<style><\/style></style>',
+	$latte->renderToString('<style>{="</style>"|noescape}</style>'),
+);

tests/common/contentType.html.html.phpt

@@ -36,6 +36,12 @@ Assert::match(
 	$latte->renderToString('{define a}<script></script>{/define} <script type="text/html">{include a}</script>'),
 );
 
+// no escape
+Assert::match(
+	'<script type="text/html">&lt;/script></script>',
+	$latte->renderToString('<script type="text/html">{="</script>"|noescape}</script>'),
+);
+
 // content of <script> is RAWTEXT
 Assert::match(
 	<<<'XX'

tests/common/contentType.html.javascript.phpt

@@ -111,3 +111,9 @@ Assert::match(
 		['foo' => new Html("<div title='</script>'></div>")],
 	),
 );
+
+// no escape
+Assert::match(
+	'<script><\/script></script>',
+	$latte->renderToString('<script>{="</script>"|noescape}</script>'),
+);

tests/common/contentType.html.unknown.phpt

@@ -37,6 +37,12 @@ Assert::exception(
 	'Including block a with content type HTML into incompatible type HTML/RAW+TEXT.',
 );
 
+// no escape
+Assert::match(
+	'<script type="foo"><\/script></script>',
+	$latte->renderToString('<script type="foo">{="</script>"|noescape}</script>'),
+);
+
 // content of <script> is RAWTEXT
 Assert::match(
 	<<<'XX'

tests/common/expected/contentType.xml.html

@@ -61,3 +61,6 @@
 <p val="some&amp;&lt;&gt;&quot;&apos;/chars" val2="`mxss"> </p>
 
 <p onclick="some&amp;&lt;&gt;&quot;&apos;/chars"> </p>
+
+<p title="foo a='a' b=&quot;b&quot;>"></p>
+<p foo a='a' b="b">></p>

tests/common/expected/contentType.xml.php

@@ -128,6 +128,13 @@ public function main(array $ʟ_args): void
 <p onclick=';
 		echo '"' . LR\Filters::escapeXml($xss) . '"' /* line %d% */;
 		echo '> </p>
+
+<p title="';
+		echo LR\Filters::escapeHtmlChar('foo a=\'a\' b="b">', '"') /* line %d% */;
+		echo '"></p>
+<p ';
+		echo 'foo a=\'a\' b="b">' /* line %d% */;
+		echo '></p>
 ';
 	}