From 8b1da6a98a43981791eed3a1ff37cbf7baa959c3 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Tue, 6 Jan 2026 21:36:10 +0900
Subject: [PATCH] Fix incorrect handling of nested context switches (CSS inside
 HTML inside JS) in template v2 #2646

---
 .../parsers/template/TemplateParser_v2.php    | 27 +++++++++++++++----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/common/framework/parsers/template/TemplateParser_v2.php b/common/framework/parsers/template/TemplateParser_v2.php
index f85f30ccc..d71af7947 100644
--- a/common/framework/parsers/template/TemplateParser_v2.php
+++ b/common/framework/parsers/template/TemplateParser_v2.php
@@ -179,14 +179,18 @@ class TemplateParser_v2
 	 */
 	protected function _addContextSwitches(string $content): string
 	{
+		$context_index = random_int(12000, 99000);
+
 		// Inline styles.
 		$content = preg_replace_callback('#(?<=\s)(style=")([^"]*?)"#i', function($match) {
 			return $match[1] . '<?php $this->config->context = \'CSS\'; ?>' . $match[2] . '<?php $this->config->context = \'HTML\'; ?>"';
 		}, $content);
 
 		// Inline scripts.
-		$content = preg_replace_callback('#(?<=\s)(href="javascript:|pattern="|on[a-z]+=")([^"]*?)"#i', function($match) {
-			return $match[1] . '<?php $this->config->context = \'JS\'; ?>' . $match[2] . '<?php $this->config->context = \'HTML\'; ?>"';
+		$content = preg_replace_callback('#(?<=\s)(href="javascript:|pattern="|on[a-z]+=")([^"]*?)"#i', function($match) use(&$context_index) {
+			$context_index++;
+			return $match[1] . '<?php $this->config->context = \'JS\'; /* !CTX' . $context_index . '! */?>' .
+				$match[2] . '<?php $this->config->context = \'HTML\'; /* !CTX' . $context_index . '! */?>"';
 		}, $content);
 
 		// <style> tags.
@@ -202,14 +206,15 @@ class TemplateParser_v2
 		}, $content);
 
 		// <script> tags that aren't links.
-		$content = preg_replace_callback('#(<script\b([^>]*)|</script)#i', function($match) {
+		$content = preg_replace_callback('#(<script\b([^>]*)|</script)#i', function($match) use(&$context_index) {
 			if (substr($match[1], 1, 1) === '/')
 			{
-				return '<?php $this->config->context = \'HTML\'; ?>' . $match[1];
+				return '<?php $this->config->context = \'HTML\'; /* !CTX' . $context_index . '! */?>' . $match[1];
 			}
 			elseif (!str_contains($match[2] ?? '', 'src="'))
 			{
-				return $match[1] . '<?php $this->config->context = \'JS\'; ?>';
+				$context_index++;
+				return $match[1] . '<?php $this->config->context = \'JS\'; /* !CTX' . $context_index . '! */?>';
 			}
 			else
 			{
@@ -217,6 +222,18 @@ class TemplateParser_v2
 			}
 		}, $content);
 
+		// Remove nested context switches.
+		if ($context_index > 0)
+		{
+			$content = preg_replace_callback('#(<\?php \$this->config->context = \'JS\'; /\* !CTX([0-9]+)! \*/\?>)(.*?)(<\?php \$this->config->context = \'HTML\'; /\* !CTX\2! \*/\?>)#s', function($match) {
+				return preg_replace('#/\* !CTX\d+! \*/#', '', $match[1]) .
+					preg_replace('#<\?php \$this->config->context = \'[A-Z]+\'; \?>#', '', $match[3]) .
+					preg_replace('#/\* !CTX\d+! \*/#', '', $match[4]);
+			}, $content);
+
+			$content = preg_replace('#(<\?php \$this->config->context = \'[A-Z]+\'; )/\* !CTX[0-9]+! \*/(\?>)#', '$1$2', $content);
+		}
+
 		return $content;
 	}