smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-08-01 08:54:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'm-haritonov-escape'

Browse Source
This commit is contained in:
Simon Wisselink
2021-08-19 16:15:57 +02:00
parent 1a68b79b6c 0ff7ba5ab6
commit 770bc4aae2
3 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG.md
View File

@@ -9,6 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Changed ### Changed
- modifier escape now triggers a E_USER_NOTICE when an unsupported escape type is used https://github.com/smarty-php/smarty/pull/649 - modifier escape now triggers a E_USER_NOTICE when an unsupported escape type is used https://github.com/smarty-php/smarty/pull/649
### Security
- More advanced javascript escaping to handle https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements thanks to m-haritonov
## [3.1.39] - 2021-02-17 ## [3.1.39] - 2021-02-17
### Security ### Security

6
libs/plugins/modifier.escape.php
View File

@@ -184,7 +184,11 @@ function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $
'"' => '\\"', '"' => '\\"',
"\r" => '\\r', "\r" => '\\r',
"\n" => '\\n', "\n" => '\\n',
'</' => '<\/' '</' => '<\/',
// see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
'<!--' => '<\!--',
'<s' => '<\s',
'<S' => '<\S'
) )
); );
case 'mail': case 'mail':

3
libs/plugins/modifiercompiler.escape.php
View File

@@ -89,9 +89,10 @@ function smarty_modifiercompiler_escape($params, Smarty_Internal_TemplateCompile
return 'preg_replace("%(?<!\\\\\\\\)\'%", "\\\'",' . $params[ 0 ] . ')'; return 'preg_replace("%(?<!\\\\\\\\)\'%", "\\\'",' . $params[ 0 ] . ')';
case 'javascript': case 'javascript':
// escape quotes and backslashes, newlines, etc. // escape quotes and backslashes, newlines, etc.
// see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
return 'strtr(' . return 'strtr(' .
$params[ 0 ] . $params[ 0 ] .
', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/" ))'; ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S" ))';
} }
} catch (SmartyException $e) { } catch (SmartyException $e) {
// pass through to regular plugin fallback // pass through to regular plugin fallback