From e4e401f315717b840bce6b0e6e68571b26f25c8e Mon Sep 17 00:00:00 2001
From: David Grudl <david@grudl.com>
Date: Tue, 21 Jun 2022 17:12:07 +0200
Subject: [PATCH] implemented mandatory escaping (cannot be disabled using
 |noescape)

---
 src/Latte/Compiler/Escaper.php                | 17 ++++++
 src/Latte/Compiler/Nodes/Php/ModifierNode.php |  6 +--
 src/Latte/Runtime/Filters.php                 | 13 +++++
 tests/common/Compiler.noescape.phpt           | 54 +++++++++++++++++++
 tests/common/contentType.html.css.phpt        |  6 +++
 tests/common/contentType.html.html.phpt       |  6 +++
 tests/common/contentType.html.javascript.phpt |  6 +++
 tests/common/contentType.html.unknown.phpt    |  6 +++
 tests/common/expected/contentType.xml.html    |  2 +
 tests/common/expected/contentType.xml.php     |  4 ++
 tests/common/templates/contentType.xml.latte  |  2 +
 tests/filters/escapeHtmlChar.phpt             | 22 ++++++++
 12 files changed, 141 insertions(+), 3 deletions(-)
 create mode 100644 tests/common/Compiler.noescape.phpt
 create mode 100644 tests/filters/escapeHtmlChar.phpt

diff --git a/src/Latte/Compiler/Escaper.php b/src/Latte/Compiler/Escaper.php
index 6698008771..e53c05d1b2 100644
--- a/src/Latte/Compiler/Escaper.php
+++ b/src/Latte/Compiler/Escaper.php
@@ -229,6 +229,23 @@ public function escape(string $str): string
 	}
 
 
+	public function escapeMandatory(string $str): string
+	{
+		return match ($this->contentType) {
+			ContentType::Html => match ($this->state) {
+				self::HtmlAttributeQuoted => 'LR\Filters::escapeHtmlChar(' . $str . ', ' . var_export($this->quote, true) . ')',
+				self::HtmlRawText => 'LR\Filters::escapeHtmlRawText(' . $str . ')',
+				default => $str,
+			},
+			ContentType::Xml => match ($this->state) {
+				self::HtmlAttributeQuoted => 'LR\Filters::escapeHtmlChar(' . $str . ', ' . var_export($this->quote, true) . ')',
+				default => $str,
+			},
+			default => $str,
+		};
+	}
+
+
 	public function check(string $str): string
 	{
 		if ($this->isHtmlAttribute() && $this->subState === self::Url) {
diff --git a/src/Latte/Compiler/Nodes/Php/ModifierNode.php b/src/Latte/Compiler/Nodes/Php/ModifierNode.php
index 3ecd661ff5..128ab2c021 100644
--- a/src/Latte/Compiler/Nodes/Php/ModifierNode.php
+++ b/src/Latte/Compiler/Nodes/Php/ModifierNode.php
@@ -68,9 +68,9 @@ public function printSimple(PrintContext $context, string $expr): string
 			$expr = $escaper->check($expr);
 		}
 
-		if ($escape) {
-			$expr = $escaper->escape($expr);
-		}
+		$expr = $escape
+			? $escaper->escape($expr)
+			: $escaper->escapeMandatory($expr);
 
 		return $expr;
 	}
diff --git a/src/Latte/Runtime/Filters.php b/src/Latte/Runtime/Filters.php
index 75609d2966..18f7e0b854 100644
--- a/src/Latte/Runtime/Filters.php
+++ b/src/Latte/Runtime/Filters.php
@@ -100,6 +100,19 @@ public static function escapeHtmlComment($s): string
 	}
 
 
+	/**
+	 * Escapes a certain special character.
+	 */
+	public static function escapeHtmlChar($s, string $char): string
+	{
+		return str_replace(
+			$char,
+			htmlspecialchars($char, ENT_QUOTES | ENT_HTML5),
+			(string) $s,
+		);
+	}
+
+
 	/**
 	 * Escapes string for use everywhere inside XML (except for comments).
 	 */
diff --git a/tests/common/Compiler.noescape.phpt b/tests/common/Compiler.noescape.phpt
new file mode 100644
index 0000000000..c12296e459
--- /dev/null
+++ b/tests/common/Compiler.noescape.phpt
@@ -0,0 +1,54 @@
+<?php
+
+/**
+ * Test: |noescape
+ */
+
+declare(strict_types=1);
+
+use Tester\Assert;
+
+require __DIR__ . '/../bootstrap.php';
+
+
+$latte = new Latte\Engine;
+$latte->setLoader(new Latte\Loaders\StringLoader);
+
+// html text
+Assert::match(
+	'<p></script></p>',
+	$latte->renderToString('<p>{="</script>"|noescape}</p>'),
+);
+
+// in tag
+Assert::match(
+	'<p foo a=\'a\' b="b">></p>',
+	$latte->renderToString('<p {="foo a=\'a\' b=\"b\">"|noescape}></p>'),
+);
+
+// attribute unquoted values
+Assert::match(
+	'<p title=foo a=\'a\' b="b">></p>',
+	$latte->renderToString('<p title={="foo a=\'a\' b=\"b\">"|noescape}></p>'),
+);
+
+// attribute quoted values
+Assert::match(
+	'<p title="foo a=\'a\' b=&quot;b&quot;>"></p>',
+	$latte->renderToString('<p title="{="foo a=\'a\' b=\"b\">"|noescape}"></p>'),
+);
+
+Assert::match(
+	'<p title=\'foo a=&apos;a&apos; b="b">\'></p>',
+	$latte->renderToString('<p title=\'{="foo a=\'a\' b=\"b\">"|noescape}\'></p>'),
+);
+
+Assert::match(
+	'<p style="foo a=\'a\' b=&quot;b&quot;>"></p>',
+	$latte->renderToString('<p style="{="foo a=\'a\' b=\"b\">"|noescape}"></p>'),
+);
+
+Assert::match(
+	'<p onclick="foo a=\'a\' b=&quot;b&quot;>"></p>',
+	$latte->renderToString('<p onclick="{="foo a=\'a\' b=\"b\">"|noescape}"></p>'),
+);
diff --git a/tests/common/contentType.html.css.phpt b/tests/common/contentType.html.css.phpt
index 336f5f1048..2950a08806 100644
--- a/tests/common/contentType.html.css.phpt
+++ b/tests/common/contentType.html.css.phpt
@@ -54,3 +54,9 @@ Assert::match(
 	'<style> a { background: url("\"") } </style>',
 	$latte->renderToString('<style> a { background: url("{=\'"\'}") } </style>'),
 );
+
+// no escape
+Assert::match(
+	'<style><\/style></style>',
+	$latte->renderToString('<style>{="</style>"|noescape}</style>'),
+);
diff --git a/tests/common/contentType.html.html.phpt b/tests/common/contentType.html.html.phpt
index 3c076b3a88..d39e29ed8c 100644
--- a/tests/common/contentType.html.html.phpt
+++ b/tests/common/contentType.html.html.phpt
@@ -28,6 +28,12 @@ Assert::match(
 	),
 );
 
+// no escape
+Assert::match(
+	'<script type="text/html"><\/script></script>',
+	$latte->renderToString('<script type="text/html">{="</script>"|noescape}</script>'),
+);
+
 // content of <script> is RAWTEXT
 Assert::match(
 	<<<'XX'
diff --git a/tests/common/contentType.html.javascript.phpt b/tests/common/contentType.html.javascript.phpt
index a7ebc72829..7fa08ca2f9 100644
--- a/tests/common/contentType.html.javascript.phpt
+++ b/tests/common/contentType.html.javascript.phpt
@@ -111,3 +111,9 @@ Assert::match(
 		['foo' => new Html("<div title='</script>'></div>")],
 	),
 );
+
+// no escape
+Assert::match(
+	'<script><\/script></script>',
+	$latte->renderToString('<script>{="</script>"|noescape}</script>'),
+);
diff --git a/tests/common/contentType.html.unknown.phpt b/tests/common/contentType.html.unknown.phpt
index 8d0db6a8ec..bc2a4104e5 100644
--- a/tests/common/contentType.html.unknown.phpt
+++ b/tests/common/contentType.html.unknown.phpt
@@ -28,6 +28,12 @@ Assert::match(
 	),
 );
 
+// no escape
+Assert::match(
+	'<script type="foo"><\/script></script>',
+	$latte->renderToString('<script type="foo">{="</script>"|noescape}</script>'),
+);
+
 // content of <script> is RAWTEXT
 Assert::match(
 	<<<'XX'
diff --git a/tests/common/expected/contentType.xml.html b/tests/common/expected/contentType.xml.html
index 7a3bb31735..f7e372a74f 100644
--- a/tests/common/expected/contentType.xml.html
+++ b/tests/common/expected/contentType.xml.html
@@ -61,3 +61,5 @@
 <p val="some&amp;&lt;&gt;&quot;&apos;/chars" val2="`mxss"> </p>
 
 <p onclick="some&amp;&lt;&gt;&quot;&apos;/chars"> </p>
+
+<p title="foo a=\'a\' b=&quot;b&quot;>"></p>
diff --git a/tests/common/expected/contentType.xml.php b/tests/common/expected/contentType.xml.php
index 656b9de6b5..efe802e239 100644
--- a/tests/common/expected/contentType.xml.php
+++ b/tests/common/expected/contentType.xml.php
@@ -128,6 +128,10 @@ public function main(array $ʟ_args): void
 <p onclick=';
 		echo '"' . LR\Filters::escapeXml($xss) . '"' /* line %d% */;
 		echo '> </p>
+
+<p title="';
+		echo LR\Filters::escapeHtmlChar('foo a=\\\'a\\\' b="b">', '"') /* line %d% */;
+		echo '"></p>
 ';
 	}
 
diff --git a/tests/common/templates/contentType.xml.latte b/tests/common/templates/contentType.xml.latte
index 56b62971b9..dfc8b1fc91 100644
--- a/tests/common/templates/contentType.xml.latte
+++ b/tests/common/templates/contentType.xml.latte
@@ -61,3 +61,5 @@ var html = {$el};
 <p val = {$xss} val2={$mxss}> </p>
 
 <p onclick = {$xss}> </p>
+
+<p title="{="foo a=\'a\' b=\"b\">"|noescape}"></p>
diff --git a/tests/filters/escapeHtmlChar.phpt b/tests/filters/escapeHtmlChar.phpt
new file mode 100644
index 0000000000..1d1d9be4df
--- /dev/null
+++ b/tests/filters/escapeHtmlChar.phpt
@@ -0,0 +1,22 @@
+<?php
+
+/**
+ * Test: Latte\Runtime\Filters::escapeHtmlChar
+ */
+
+declare(strict_types=1);
+
+use Latte\Runtime\Filters;
+use Tester\Assert;
+
+require __DIR__ . '/../bootstrap.php';
+
+
+Assert::same('', Filters::escapeHtmlChar(null, '"'));
+Assert::same('', Filters::escapeHtmlChar('', '"'));
+Assert::same('1', Filters::escapeHtmlChar(1, '"'));
+Assert::same('string', Filters::escapeHtmlChar('string', '"'));
+Assert::same('< & \' &quot; >', Filters::escapeHtmlChar('< & \' " >', '"'));
+Assert::same('< & &apos; " >', Filters::escapeHtmlChar('< & \' " >', "'"));
+Assert::same('< & \' " &gt;', Filters::escapeHtmlChar('< & \' " >', '>'));
+Assert::same('&quot;', Filters::escapeHtmlChar('&quot;', '"'));