From 5638207fb021b95212f9b6d0c794b8f0c7a63fc0 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Wed, 22 Feb 2017 21:29:15 +0900
Subject: [PATCH] Change behavior of 'autoescape' filter to always escape (but
 not double-escape)

---
 classes/template/TemplateHandler.class.php |  5 +++--
 tests/unit/classes/TemplateHandlerTest.php | 10 +++++++++-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/classes/template/TemplateHandler.class.php b/classes/template/TemplateHandler.class.php
index 0807d60ed..5a7a3e4b2 100644
--- a/classes/template/TemplateHandler.class.php
+++ b/classes/template/TemplateHandler.class.php
@@ -561,7 +561,7 @@ class TemplateHandler
 				}
 				else
 				{
-					$escape_option = $this->config->autoescape !== null ? 'autoescape' : 'noescape';
+					$escape_option = $this->config->autoescape !== null ? 'auto' : 'noescape';
 				}
 				
 				// Separate filters from variable.
@@ -890,8 +890,9 @@ class TemplateHandler
 				return "htmlspecialchars({$str}, ENT_COMPAT, 'UTF-8', true)";
 			case 'noescape':
 				return "{$str}";
-			case 'auto':
 			case 'autoescape':
+				return "htmlspecialchars({$str}, ENT_COMPAT, 'UTF-8', false)";
+			case 'auto':
 			default:
 				return "(\$this->config->autoescape === 'on' ? htmlspecialchars({$str}, ENT_COMPAT, 'UTF-8', false) : {$str})";
 		}
diff --git a/tests/unit/classes/TemplateHandlerTest.php b/tests/unit/classes/TemplateHandlerTest.php
index 188ba4a09..e84e45d7f 100644
--- a/tests/unit/classes/TemplateHandlerTest.php
+++ b/tests/unit/classes/TemplateHandlerTest.php
@@ -315,9 +315,17 @@ class TemplateHandlerTest extends \Codeception\TestCase\Test
                 PHP_EOL . '$this->config->autoescape = \'on\';' . "\n" . 'echo ($this->config->autoescape === \'on\' ? htmlspecialchars($__Context->foo, ENT_COMPAT, \'UTF-8\', false) : $__Context->foo) ?>'
             ),
             array(
-                '<config autoescape="off" />{$foo|autoescape}',
+                '<config autoescape="off" />{$foo|auto}',
                 PHP_EOL . '$this->config->autoescape = \'off\';' . "\n" . 'echo ($this->config->autoescape === \'on\' ? htmlspecialchars($__Context->foo, ENT_COMPAT, \'UTF-8\', false) : $__Context->foo) ?>'
             ),
+            array(
+                '<config autoescape="on" />{$foo|autoescape}',
+                PHP_EOL . '$this->config->autoescape = \'on\';' . "\n" . 'echo htmlspecialchars($__Context->foo, ENT_COMPAT, \'UTF-8\', false) ?>'
+            ),
+            array(
+                '<config autoescape="off" />{$foo|autoescape}',
+                PHP_EOL . '$this->config->autoescape = \'off\';' . "\n" . 'echo htmlspecialchars($__Context->foo, ENT_COMPAT, \'UTF-8\', false) ?>'
+            ),
             array(
                 '<config autoescape="on" />{$foo|escape}',
                 PHP_EOL . '$this->config->autoescape = \'on\';' . "\n" . 'echo htmlspecialchars($__Context->foo, ENT_COMPAT, \'UTF-8\', true) ?>'