From: Arnaud Le Blanc Date: Fri, 24 Dec 2010 16:21:26 +0000 (+0100) Subject: Added auto-escaper support for functions X-Git-Url: http://git.silmor.de/gitweb/?a=commitdiff_plain;h=3615e9a3860c476b6088e714c3c2c52252cbec22;p=web%2Fkonrad%2Ftwig.git Added auto-escaper support for functions Functions' output is escaped by default and functions can declare themselves "safe" using the "is_safe" option. --- diff --git a/lib/Twig/NodeVisitor/SafeAnalysis.php b/lib/Twig/NodeVisitor/SafeAnalysis.php index b684618..2f2403b 100644 --- a/lib/Twig/NodeVisitor/SafeAnalysis.php +++ b/lib/Twig/NodeVisitor/SafeAnalysis.php @@ -58,6 +58,16 @@ class Twig_NodeVisitor_SafeAnalysis implements Twig_NodeVisitorInterface } else { $this->setSafe($node, array()); } + } elseif ($node instanceof Twig_Node_Expression_Function) { + // function expression is safe when the function is safe + $name = $node->getNode('name')->getAttribute('name'); + $args = $node->getNode('arguments'); + $function = $env->getFunction($name); + if (null !== $function) { + $this->setSafe($node, $function->getSafe($args)); + } else { + $this->setSafe($node, array()); + } } else { $this->setSafe($node, array()); } diff --git a/test/Twig/Tests/Fixtures/tags/autoescape/functions.test b/test/Twig/Tests/Fixtures/tags/autoescape/functions.test new file mode 100644 index 0000000..ce62744 --- /dev/null +++ b/test/Twig/Tests/Fixtures/tags/autoescape/functions.test @@ -0,0 +1,83 @@ +--TEST-- +"autoescape" tag applies escaping after calling functions +--TEMPLATE-- + +autoescape off +{% autoescape off %} + +safe_br +{{ safe_br() }} + +unsafe_br +{{ unsafe_br() }} + +{% endautoescape %} + +autoescape on +{% autoescape on %} + +safe_br +{{ safe_br() }} + +unsafe_br +{{ unsafe_br() }} + +unsafe_br()|raw +{{ (unsafe_br())|raw }} + +safe_br()|escape +{{ (safe_br())|escape }} + +safe_br()|raw +{{ (safe_br())|raw }} + +unsafe_br()|escape +{{ (unsafe_br())|escape }} + +{% endautoescape %} + +autoescape on js +{% autoescape on js %} + +safe_br +{{ safe_br() }} + +{% endautoescape %} +--DATA-- +return array() +--EXPECT-- + +autoescape off + +safe_br +
+ +unsafe_br +
+ + +autoescape on + +safe_br +
+ +unsafe_br +<br /> + +unsafe_br()|raw +
+ +safe_br()|escape +<br /> + +safe_br()|raw +
+ +unsafe_br()|escape +<br /> + + +autoescape on js + +safe_br +\x3cbr \x2f\x3e