From 3615e9a3860c476b6088e714c3c2c52252cbec22 Mon Sep 17 00:00:00 2001 From: Arnaud Le Blanc Date: Fri, 24 Dec 2010 17:21:26 +0100 Subject: [PATCH] Added auto-escaper support for functions Functions' output is escaped by default and functions can declare themselves "safe" using the "is_safe" option. --- lib/Twig/NodeVisitor/SafeAnalysis.php | 10 +++ .../Tests/Fixtures/tags/autoescape/functions.test | 83 ++++++++++++++++++++ 2 files changed, 93 insertions(+), 0 deletions(-) create mode 100644 test/Twig/Tests/Fixtures/tags/autoescape/functions.test diff --git a/lib/Twig/NodeVisitor/SafeAnalysis.php b/lib/Twig/NodeVisitor/SafeAnalysis.php index b684618..2f2403b 100644 --- a/lib/Twig/NodeVisitor/SafeAnalysis.php +++ b/lib/Twig/NodeVisitor/SafeAnalysis.php @@ -58,6 +58,16 @@ class Twig_NodeVisitor_SafeAnalysis implements Twig_NodeVisitorInterface } else { $this->setSafe($node, array()); } + } elseif ($node instanceof Twig_Node_Expression_Function) { + // function expression is safe when the function is safe + $name = $node->getNode('name')->getAttribute('name'); + $args = $node->getNode('arguments'); + $function = $env->getFunction($name); + if (null !== $function) { + $this->setSafe($node, $function->getSafe($args)); + } else { + $this->setSafe($node, array()); + } } else { $this->setSafe($node, array()); } diff --git a/test/Twig/Tests/Fixtures/tags/autoescape/functions.test b/test/Twig/Tests/Fixtures/tags/autoescape/functions.test new file mode 100644 index 0000000..ce62744 --- /dev/null +++ b/test/Twig/Tests/Fixtures/tags/autoescape/functions.test @@ -0,0 +1,83 @@ +--TEST-- +"autoescape" tag applies escaping after calling functions +--TEMPLATE-- + +autoescape off +{% autoescape off %} + +safe_br +{{ safe_br() }} + +unsafe_br +{{ unsafe_br() }} + +{% endautoescape %} + +autoescape on +{% autoescape on %} + +safe_br +{{ safe_br() }} + +unsafe_br +{{ unsafe_br() }} + +unsafe_br()|raw +{{ (unsafe_br())|raw }} + +safe_br()|escape +{{ (safe_br())|escape }} + +safe_br()|raw +{{ (safe_br())|raw }} + +unsafe_br()|escape +{{ (unsafe_br())|escape }} + +{% endautoescape %} + +autoescape on js +{% autoescape on js %} + +safe_br +{{ safe_br() }} + +{% endautoescape %} +--DATA-- +return array() +--EXPECT-- + +autoescape off + +safe_br +
+ +unsafe_br +
+ + +autoescape on + +safe_br +
+ +unsafe_br +<br /> + +unsafe_br()|raw +
+ +safe_br()|escape +<br /> + +safe_br()|raw +
+ +unsafe_br()|escape +<br /> + + +autoescape on js + +safe_br +\x3cbr \x2f\x3e -- 1.7.2.5