From f27d4a14405f014ba73aa362421f8f80d35dd618 Mon Sep 17 00:00:00 2001
From: Fabien Potencier <fabien.potencier@gmail.com>
Date: Tue, 1 Oct 2013 15:11:00 +0200
Subject: [PATCH] fixed usage of the html_attr escaping strategy to avoid double-escaping with the html strategy

---
 CHANGELOG                                          |    1 +
 lib/Twig/NodeVisitor/SafeAnalysis.php              |   18 +++++++++++++-----
 .../Tests/Fixtures/filters/escape_html_attr.test   |    8 ++++++++
 3 files changed, 22 insertions(+), 5 deletions(-)
 create mode 100644 test/Twig/Tests/Fixtures/filters/escape_html_attr.test

diff --git a/CHANGELOG b/CHANGELOG
index ab39662..483f107 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,6 @@
 * 1.14.0 (2013-XX-XX)
 
+ * fixed usage of the html_attr escaping strategy to avoid double-escaping with the html strategy
  * fixed some compatibility issues with HHVM
  * added a way to add custom escaping strategies
  * fixed the C extension compilation on Windows
diff --git a/lib/Twig/NodeVisitor/SafeAnalysis.php b/lib/Twig/NodeVisitor/SafeAnalysis.php
index b0c658c..214e8b6 100644
--- a/lib/Twig/NodeVisitor/SafeAnalysis.php
+++ b/lib/Twig/NodeVisitor/SafeAnalysis.php
@@ -13,12 +13,20 @@ class Twig_NodeVisitor_SafeAnalysis implements Twig_NodeVisitorInterface
     public function getSafe(Twig_NodeInterface $node)
     {
         $hash = spl_object_hash($node);
-        if (isset($this->data[$hash])) {
-            foreach ($this->data[$hash] as $bucket) {
-                if ($bucket['key'] === $node) {
-                    return $bucket['value'];
-                }
+        if (!isset($this->data[$hash])) {
+            return;
+        }
+
+        foreach ($this->data[$hash] as $bucket) {
+            if ($bucket['key'] !== $node) {
+                continue;
+            }
+
+            if (in_array('html_attr', $bucket['value'])) {
+                $bucket['value'][] = 'html';
             }
+
+            return $bucket['value'];
         }
     }
 
diff --git a/test/Twig/Tests/Fixtures/filters/escape_html_attr.test b/test/Twig/Tests/Fixtures/filters/escape_html_attr.test
new file mode 100644
index 0000000..009a245
--- /dev/null
+++ b/test/Twig/Tests/Fixtures/filters/escape_html_attr.test
@@ -0,0 +1,8 @@
+--TEST--
+"escape" filter does not escape with the html strategy when using the html_attr strategy
+--TEMPLATE--
+{{ '<br />'|escape('html_attr') }}
+--DATA--
+return array()
+--EXPECT--
+&lt;br&#x20;&#x2F;&gt;
-- 
1.7.2.5