smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2026-05-03 19:30:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

plugins: escape: javascript escaping secure fix

Browse Source
This commit is contained in:
Mihail Haritonov
2021-02-28 16:43:54 +03:00
parent 290aee6db3
commit 9cde36e3bc
2 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libs/plugins/modifiercompiler.escape.php
+2 -1
View File
@@ -89,9 +89,10 @@ function smarty_modifiercompiler_escape($params, Smarty_Internal_TemplateCompile
return 'preg_replace("%(?<!\\\\\\\\)\'%", "\\\'",' . $params[ 0 ] . ')';
case 'javascript':
// escape quotes and backslashes, newlines, etc.
// see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
return 'strtr(' .
$params[ 0 ] .
', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/" ))';
', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S" ))';
}
} catch (SmartyException $e) {
// pass through to regular plugin fallback