Filters: compatibility with JS binding II.

dg · dg · commit 53e5da9aa2ec · 2021-10-03T00:59:03.000+02:00
diff --git a/src/Latte/Runtime/Filters.php b/src/Latte/Runtime/Filters.php
@@ -48,7 +48,7 @@ public static function escapeHtmlText($s): string
 			return $s->__toString(true);
 		}
 		$s = htmlspecialchars((string) $s, ENT_NOQUOTES | ENT_SUBSTITUTE, 'UTF-8');
-		$s = str_replace('{{', '{<!-- -->{', $s);
+		$s = strtr($s, ['{{' => '{<!-- -->{', '{' => '&#123;']);
 		return $s;
 	}
 
@@ -64,7 +64,9 @@ public static function escapeHtmlAttr($s, bool $double = true): string
 		if (strpos($s, '`') !== false && strpbrk($s, ' <>"\'') === false) {
 			$s .= ' '; // protection against innerHTML mXSS vulnerability nette/nette#1496
 		}
-		return htmlspecialchars($s, ENT_QUOTES | ENT_HTML5 | ENT_SUBSTITUTE, 'UTF-8', $double);
+		$s = htmlspecialchars($s, ENT_QUOTES | ENT_HTML5 | ENT_SUBSTITUTE, 'UTF-8', $double);
+		$s = str_replace('{', '&#123;', $s);
+		return $s;
 	}
 
 

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ public static function escapeHtmlText($s): string`
`48`	`48`	`return $s->__toString(true);`
`49`	`49`	`}`
`50`	`50`	`$s = htmlspecialchars((string) $s, ENT_NOQUOTES \| ENT_SUBSTITUTE, 'UTF-8');`
`51`		`- $s = str_replace('{{', '{<!-- -->{', $s);`
	`51`	`+ $s = strtr($s, ['{{' => '{<!-- -->{', '{' => '{']);`
`52`	`52`	`return $s;`
`53`	`53`	`}`
`54`	`54`
`@@ -64,7 +64,9 @@ public static function escapeHtmlAttr($s, bool $double = true): string`
`64`	`64`	if (strpos($s, '`') !== false && strpbrk($s, ' <>"\'') === false) {
`65`	`65`	`$s .= ' '; // protection against innerHTML mXSS vulnerability nette/nette#1496`
`66`	`66`	`}`
`67`		`- return htmlspecialchars($s, ENT_QUOTES \| ENT_HTML5 \| ENT_SUBSTITUTE, 'UTF-8', $double);`
	`67`	`+ $s = htmlspecialchars($s, ENT_QUOTES \| ENT_HTML5 \| ENT_SUBSTITUTE, 'UTF-8', $double);`
	`68`	`+ $s = str_replace('{', '{', $s);`
	`69`	`+ return $s;`
`68`	`70`	`}`
`69`	`71`
`70`	`72`