feat: escape html in view params by default

TorstenDittmann · TorstenDittmann · commit f7b172a14c3f · 2024-01-08T13:33:39.000+01:00
diff --git a/src/View.php b/src/View.php
@@ -77,12 +77,16 @@ public function __construct(string $path = '')
      *
      * @throws Exception
      */
-    public function setParam(string $key, mixed $value): static
+    public function setParam(string $key, mixed $value, bool $escapeHtml = true): static
     {
         if (\strpos($key, '.') !== false) {
             throw new Exception('$key can\'t contain a dot "." character');
         }
 
+        if (is_string($value) && $escapeHtml) {
+            $value = htmlspecialchars($value, encoding: 'UTF-8');
+        }
+
         $this->params[$key] = $value;
 
         return $this;

Original file line number	Diff line number	Diff line change
`@@ -77,12 +77,16 @@ public function __construct(string $path = '')`
`77`	`77`	`*`
`78`	`78`	`* @throws Exception`
`79`	`79`	`*/`
`80`		`- public function setParam(string $key, mixed $value): static`
	`80`	`+ public function setParam(string $key, mixed $value, bool $escapeHtml = true): static`
`81`	`81`	`{`
`82`	`82`	`if (\strpos($key, '.') !== false) {`
`83`	`83`	`throw new Exception('$key can\'t contain a dot "." character');`
`84`	`84`	`}`
`85`	`85`
	`86`	`+ if (is_string($value) && $escapeHtml) {`
	`87`	`+ $value = htmlspecialchars($value, encoding: 'UTF-8');`
	`88`	`+ }`
	`89`	`+`
`86`	`90`	`$this->params[$key] = $value;`
`87`	`91`
`88`	`92`	`return $this;`