SafeUrl is not used for attribute parts

nette · Jun 1, 2022 · 38d7db8 · 38d7db8
1 parent e7b06f4
commit 38d7db8
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 18 deletions.
diff --git a/src/Latte/Compiler/Escaper.php b/src/Latte/Compiler/Escaper.php
@@ -105,6 +105,7 @@ public function enterHtmlAttribute(?string $name = null, string $quote = ''): vo
 	{
 		$this->state = self::HtmlAttribute;
 		$this->quote = $quote;
+		$this->subType = '';
 
 		if ($this->contentType === ContentType::Html && is_string($name)) {
 			$name = strtolower($name);

diff --git a/src/Latte/Compiler/Nodes/Html/QuotedValue.php b/src/Latte/Compiler/Nodes/Html/QuotedValue.php
@@ -10,6 +10,7 @@
 namespace Latte\Compiler\Nodes\Html;
 
 use Latte\Compiler\Nodes\AreaNode;
+use Latte\Compiler\Nodes\FragmentNode;
 use Latte\Compiler\Position;
 use Latte\Compiler\PrintContext;
 
@@ -27,8 +28,18 @@ public function __construct(
 	public function print(PrintContext $context): string
 	{
 		$res = 'echo ' . var_export($this->quote, true) . ';';
-		$context->beginEscape()->enterHtmlAttributeQuote($this->quote);
-		$res .= $this->value->print($context);
+		$escaper = $context->beginEscape();
+		$escaper->enterHtmlAttributeQuote($this->quote);
+
+		if ($this->value instanceof FragmentNode && $escaper->export() === 'html/attr/url') {
+			foreach ($this->value->children as $child) {
+				$res .= $child->print($context);
+				$escaper->enterHtmlAttribute(null, $this->quote);
+			}
+		} else {
+			$res .= $this->value->print($context);
+		}
+
 		$res .= 'echo ' . var_export($this->quote, true) . ';';
 		$context->restoreEscape();
 		return $res;

diff --git a/tests/common/Safe.url.phpt b/tests/common/Safe.url.phpt
@@ -27,7 +27,7 @@ Assert::match('
 <a href="" src="" action="" formaction="" title="javascript:alert(1)"></a>
 <a href=""></a>
 <a href="javascript:alert(1)"></a>
-<a href="http://nette.org?val=ok"></a>
+<a href="http://nette.org?val=javascript:alert(1)"></a>
 <a data="javascript:alert(1)"></a>
 <OBJECT DATA=""></OBJECT>
 <a HREF=""></a>
@@ -44,7 +44,7 @@ Assert::match('
 <a href={$url1} src="{$url1}" action={$url1} formaction={$url1} title={$url1}></a>
 <a {if true}href={$url1}{/if}></a>
 <a href={$url1|nocheck}></a>
-<a href="http://nette.org?val={$url4}"></a>
+<a href="http://nette.org?val={$url1}"></a>
 <a data={$url1}></a>
 <OBJECT DATA={$url1}></object>
 <a HREF={$url2}></a>
@@ -77,17 +77,3 @@ Assert::contains(
 	'LR\Filters::escapeHtmlAttr(LR\Filters::safeUrl(($this->filters->upper)($url1)))',
 	$latte->compile('<a href="{$url1|upper}"></a>'),
 );
-
-
-// former |safeurl & |nosafeurl
-Assert::exception(
-	fn() => $latte->renderToString('<a href={$url1|nosafeurl}></a>', $params),
-	LogicException::class,
-	"Filter 'nosafeurl' is not defined.",
-);
-
-Assert::exception(
-	fn() => $latte->renderToString('<a href={$url4|dataStream|safeURL}></a>', $params),
-	LogicException::class,
-	"Filter 'safeURL' is not defined.",
-);