Filters: compatibility with JS binding II.

nette · Oct 2, 2021 · 53e5da9 · 53e5da9
1 parent e11912d
commit 53e5da9
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/src/Latte/Runtime/Filters.php b/src/Latte/Runtime/Filters.php
@@ -48,7 +48,7 @@ public static function escapeHtmlText($s): string
 			return $s->__toString(true);
 		}
 		$s = htmlspecialchars((string) $s, ENT_NOQUOTES | ENT_SUBSTITUTE, 'UTF-8');
-		$s = str_replace('{{', '{<!-- -->{', $s);
+		$s = strtr($s, ['{{' => '{<!-- -->{', '{' => '&#123;']);
 		return $s;
 	}
 
@@ -64,7 +64,9 @@ public static function escapeHtmlAttr($s, bool $double = true): string
 		if (strpos($s, '`') !== false && strpbrk($s, ' <>"\'') === false) {
 			$s .= ' '; // protection against innerHTML mXSS vulnerability nette/nette#1496
 		}
-		return htmlspecialchars($s, ENT_QUOTES | ENT_HTML5 | ENT_SUBSTITUTE, 'UTF-8', $double);
+		$s = htmlspecialchars($s, ENT_QUOTES | ENT_HTML5 | ENT_SUBSTITUTE, 'UTF-8', $double);
+		$s = str_replace('{', '&#123;', $s);
+		return $s;
 	}