Merge pull request #117 from utopia-php/feat-template-escape-html-by-default

TorstenDittmann · web-flow · commit e3ff6b933082 · 2024-01-08T14:30:27.000+01:00
feat: escape html by default in view params
diff --git a/src/View.php b/src/View.php
@@ -77,12 +77,16 @@ public function __construct(string $path = '')
      *
      * @throws Exception
      */
-    public function setParam(string $key, mixed $value): static
+    public function setParam(string $key, mixed $value, bool $escapeHtml = true): static
     {
         if (\strpos($key, '.') !== false) {
             throw new Exception('$key can\'t contain a dot "." character');
         }
 
+        if (is_string($value) && $escapeHtml) {
+            $value = \htmlspecialchars($value, ENT_QUOTES, 'UTF-8');
+        }
+
         $this->params[$key] = $value;
 
         return $this;
diff --git a/tests/ViewTest.php b/tests/ViewTest.php
@@ -83,4 +83,10 @@ public function testCanFilterNewLinesToParagraphs()
     {
         $this->assertEquals('<p>line1</p><p>line2</p>', $this->view->print("line1\n\nline2", View::FILTER_NL2P));
     }
+
+    public function testCanSetParamWithEscapedHtml()
+    {
+        $this->view->setParam('key', '<html>value</html>');
+        $this->assertEquals('&lt;html&gt;value&lt;/html&gt;', $this->view->getParam('key', 'default'));
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -77,12 +77,16 @@ public function __construct(string $path = '')`
`77`	`77`	`*`
`78`	`78`	`* @throws Exception`
`79`	`79`	`*/`
`80`		`- public function setParam(string $key, mixed $value): static`
	`80`	`+ public function setParam(string $key, mixed $value, bool $escapeHtml = true): static`
`81`	`81`	`{`
`82`	`82`	`if (\strpos($key, '.') !== false) {`
`83`	`83`	`throw new Exception('$key can\'t contain a dot "." character');`
`84`	`84`	`}`
`85`	`85`
	`86`	`+ if (is_string($value) && $escapeHtml) {`
	`87`	`+ $value = \htmlspecialchars($value, ENT_QUOTES, 'UTF-8');`
	`88`	`+ }`
	`89`	`+`
`86`	`90`	`$this->params[$key] = $value;`
`87`	`91`
`88`	`92`	`return $this;`
Original file line number	Diff line number	Diff line change
`@@ -83,4 +83,10 @@ public function testCanFilterNewLinesToParagraphs()`
`83`	`83`	`{`
`84`	`84`	`$this->assertEquals('<p>line1</p><p>line2</p>', $this->view->print("line1\n\nline2", View::FILTER_NL2P));`
`85`	`85`	`}`
	`86`	`+`
	`87`	`+ public function testCanSetParamWithEscapedHtml()`
	`88`	`+ {`
	`89`	`+ $this->view->setParam('key', '<html>value</html>');`
	`90`	`+ $this->assertEquals('<html>value</html>', $this->view->getParam('key', 'default'));`
	`91`	`+ }`
`86`	`92`	`}`