From 2a026a6c867547923de26b9176489d96b53c7619 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Sun, 30 Oct 2022 22:28:39 +0900
Subject: [PATCH] Allow true/false/yes/no values for autoescape
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

템플릿의 <config autoescape="on" /> 문법이 on, off만 지원하기 때문에
흔히 사용하는 true, false, yes, no, Y, N 등의 불리언 값을 입력하면
안전하지 않은 off로 인식하게 됨. 이 경우에도 적절히 처리하도록 변경.
---
 classes/template/TemplateHandler.class.php |  7 ++--
 tests/unit/classes/TemplateHandlerTest.php | 38 +++++++++++-----------
 2 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/classes/template/TemplateHandler.class.php b/classes/template/TemplateHandler.class.php
index fa7fcb9c3..ed233dcf6 100644
--- a/classes/template/TemplateHandler.class.php
+++ b/classes/template/TemplateHandler.class.php
@@ -263,7 +263,7 @@ class TemplateHandler
 		$this->config = new stdClass();
 
 		// detect existence of autoescape config
-		$this->config->autoescape = (strpos($buff, ' autoescape="') === FALSE) ? NULL : 'off';
+		$this->config->autoescape = (strpos($buff, ' autoescape="') === false) ? null : false;
 
 		// replace comments
 		$buff = preg_replace('@<!--//.*?-->@s', '', $buff);
@@ -970,7 +970,8 @@ class TemplateHandler
 					{
 						foreach($config_matches as $config_match)
 						{
-							$result .= "\$this->config->{$config_match[1]} = '" . trim(strtolower($config_match[2])) . "';";
+							$config_value = toBool(trim(strtolower($config_match[2]))) ? 'true' : 'false';
+							$result .= "\$this->config->{$config_match[1]} = $config_value;";
 						}
 					}
 					return "<?php {$result} ?>";
@@ -1042,7 +1043,7 @@ class TemplateHandler
 				return "(preg_match('/^\\$(?:user_)?lang->[a-zA-Z0-9\_]+$/', {$str}) ? ({$str}) : htmlspecialchars({$str}, ENT_QUOTES, 'UTF-8', false))";
 			case 'auto':
 			default:
-				return "(\$this->config->autoescape === 'on' ? htmlspecialchars({$str}, ENT_QUOTES, 'UTF-8', false) : ({$str}))";
+				return "(\$this->config->autoescape ? htmlspecialchars({$str}, ENT_QUOTES, 'UTF-8', false) : ({$str}))";
 		}
 	}
 
diff --git a/tests/unit/classes/TemplateHandlerTest.php b/tests/unit/classes/TemplateHandlerTest.php
index 7a6a8f3e8..42f06be47 100644
--- a/tests/unit/classes/TemplateHandlerTest.php
+++ b/tests/unit/classes/TemplateHandlerTest.php
@@ -328,43 +328,43 @@ class TemplateHandlerTest extends \Codeception\TestCase\Test
 			// Rhymix autoescape
             array(
                 '<config autoescape="on" />{$foo}',
-                PHP_EOL . '$this->config->autoescape = \'on\';' . "\n" . 'echo ($this->config->autoescape === \'on\' ? htmlspecialchars($__Context->foo, ENT_QUOTES, \'UTF-8\', false) : ($__Context->foo)) ?>'
+                PHP_EOL . '$this->config->autoescape = true;' . "\n" . 'echo ($this->config->autoescape ? htmlspecialchars($__Context->foo, ENT_QUOTES, \'UTF-8\', false) : ($__Context->foo)) ?>'
             ),
             array(
                 '<config autoescape="off" />{$foo}',
-                PHP_EOL . '$this->config->autoescape = \'off\';' . "\n" . 'echo ($this->config->autoescape === \'on\' ? htmlspecialchars($__Context->foo, ENT_QUOTES, \'UTF-8\', false) : ($__Context->foo)) ?>'
+                PHP_EOL . '$this->config->autoescape = false;' . "\n" . 'echo ($this->config->autoescape ? htmlspecialchars($__Context->foo, ENT_QUOTES, \'UTF-8\', false) : ($__Context->foo)) ?>'
             ),
             array(
-                '<config autoescape="on" />{$foo|auto}',
-                PHP_EOL . '$this->config->autoescape = \'on\';' . "\n" . 'echo ($this->config->autoescape === \'on\' ? htmlspecialchars($__Context->foo, ENT_QUOTES, \'UTF-8\', false) : ($__Context->foo)) ?>'
+                '<config autoescape="yes" />{$foo|auto}',
+                PHP_EOL . '$this->config->autoescape = true;' . "\n" . 'echo ($this->config->autoescape ? htmlspecialchars($__Context->foo, ENT_QUOTES, \'UTF-8\', false) : ($__Context->foo)) ?>'
             ),
             array(
-                '<config autoescape="off" />{$foo|auto}',
-                PHP_EOL . '$this->config->autoescape = \'off\';' . "\n" . 'echo ($this->config->autoescape === \'on\' ? htmlspecialchars($__Context->foo, ENT_QUOTES, \'UTF-8\', false) : ($__Context->foo)) ?>'
+                '<config autoescape="no" />{$foo->$bar|auto}',
+                PHP_EOL . '$this->config->autoescape = false;' . "\n" . 'echo ($this->config->autoescape ? htmlspecialchars($__Context->foo->{$__Context->bar}, ENT_QUOTES, \'UTF-8\', false) : ($__Context->foo->{$__Context->bar})) ?>'
             ),
             array(
-                '<config autoescape="on" />{$foo|autoescape}',
-                PHP_EOL . '$this->config->autoescape = \'on\';' . "\n" . 'echo htmlspecialchars($__Context->foo, ENT_QUOTES, \'UTF-8\', false) ?>'
+                '<config autoescape="true" />{$foo|autoescape}',
+                PHP_EOL . '$this->config->autoescape = true;' . "\n" . 'echo htmlspecialchars($__Context->foo, ENT_QUOTES, \'UTF-8\', false) ?>'
             ),
             array(
-                '<config autoescape="off" />{$foo|autoescape}',
-                PHP_EOL . '$this->config->autoescape = \'off\';' . "\n" . 'echo htmlspecialchars($__Context->foo, ENT_QUOTES, \'UTF-8\', false) ?>'
+                '<config autoescape="false" />{$foo|autoescape}',
+                PHP_EOL . '$this->config->autoescape = false;' . "\n" . 'echo htmlspecialchars($__Context->foo, ENT_QUOTES, \'UTF-8\', false) ?>'
             ),
             array(
-                '<config autoescape="on" />{$foo|escape}',
-                PHP_EOL . '$this->config->autoescape = \'on\';' . "\n" . 'echo htmlspecialchars($__Context->foo, ENT_QUOTES, \'UTF-8\', true) ?>'
+                '<config autoescape="1" />{$foo|escape}',
+                PHP_EOL . '$this->config->autoescape = true;' . "\n" . 'echo htmlspecialchars($__Context->foo, ENT_QUOTES, \'UTF-8\', true) ?>'
             ),
             array(
-                '<config autoescape="off" />{$foo|escape}',
-                PHP_EOL . '$this->config->autoescape = \'off\';' . "\n" . 'echo htmlspecialchars($__Context->foo, ENT_QUOTES, \'UTF-8\', true) ?>'
+                '<config autoescape="0" />{$foo|escape}',
+                PHP_EOL . '$this->config->autoescape = false;' . "\n" . 'echo htmlspecialchars($__Context->foo, ENT_QUOTES, \'UTF-8\', true) ?>'
             ),
             array(
-                '<config autoescape="on" />{$foo|noescape}',
-                PHP_EOL . '$this->config->autoescape = \'on\';' . "\n" . 'echo $__Context->foo ?>'
+                '<config autoescape="Y" />{$foo|noescape}',
+                PHP_EOL . '$this->config->autoescape = true;' . "\n" . 'echo $__Context->foo ?>'
             ),
             array(
-                '<config autoescape="off" />{$foo|noescape}',
-                PHP_EOL . '$this->config->autoescape = \'off\';' . "\n" . 'echo $__Context->foo ?>'
+                '<config autoescape="N" />{$foo|noescape}',
+                PHP_EOL . '$this->config->autoescape = false;' . "\n" . 'echo $__Context->foo ?>'
             ),
 			// Rhymix filters
             array(
@@ -449,7 +449,7 @@ class TemplateHandlerTest extends \Codeception\TestCase\Test
             ),
             array(
                 '<config autoescape="on" /><p>{$foo|link:$url}</p>',
-                PHP_EOL . '$this->config->autoescape = \'on\'; ?><p><?php echo \'<a href="\' . ($this->config->autoescape === \'on\' ? htmlspecialchars($__Context->url, ENT_QUOTES, \'UTF-8\', false) : ($__Context->url)) . \'">\' . ($this->config->autoescape === \'on\' ? htmlspecialchars($__Context->foo, ENT_QUOTES, \'UTF-8\', false) : ($__Context->foo)) . \'</a>\' ?></p>'
+                PHP_EOL . '$this->config->autoescape = true; ?><p><?php echo \'<a href="\' . ($this->config->autoescape ? htmlspecialchars($__Context->url, ENT_QUOTES, \'UTF-8\', false) : ($__Context->url)) . \'">\' . ($this->config->autoescape ? htmlspecialchars($__Context->foo, ENT_QUOTES, \'UTF-8\', false) : ($__Context->foo)) . \'</a>\' ?></p>'
             ),
 			// Rhymix filters (reject malformed filters)
             array(