diff --git a/common/framework/Template.php b/common/framework/Template.php index 8330aae8a..49ffb831b 100644 --- a/common/framework/Template.php +++ b/common/framework/Template.php @@ -945,6 +945,31 @@ class Template return count($args) ? in_array((string)$validator_id, $args, true) : true; } + /** + * Check if the current visitor is using a mobile device for v2. + * + * @return bool + */ + protected function _v2_isMobile(): bool + { + return UA::isMobile() && (config('mobile.tablets') || !UA::isTablet()); + } + + /** + * Contextual escape function for v2. + * + * @param string $str + * @return string + */ + protected function _v2_escape(string $str): string + { + switch ($this->config->context) + { + case 'JS': return escape_js($str); + default: return escape($str); + } + } + /** * Lang shortcut for v2. * diff --git a/common/framework/parsers/template/TemplateParser_v2.php b/common/framework/parsers/template/TemplateParser_v2.php index b1d6c0c46..ff4dd6bde 100644 --- a/common/framework/parsers/template/TemplateParser_v2.php +++ b/common/framework/parsers/template/TemplateParser_v2.php @@ -104,8 +104,8 @@ class TemplateParser_v2 'cannot' => ['if ($this->_v2_checkCapability(2, %s)):', 'endif;'], 'canany' => ['if ($this->_v2_checkCapability(3, %s)):', 'endif;'], 'guest' => ['if (!$this->user->isMember()):', 'endif;'], - 'desktop' => ["if (!\\Context::get('m')):", 'endif;'], - 'mobile' => ["if (\\Context::get('m')):", 'endif;'], + 'desktop' => ['if (!$this->_v2_isMobile()):', 'endif;'], + 'mobile' => ['if ($this->_v2_isMobile()):', 'endif;'], 'env' => ['if (!empty($_ENV[%s])):', 'endif;'], 'else' => ['else:'], 'elseif' => ['elseif (%s):'], @@ -179,20 +179,45 @@ class TemplateParser_v2 */ protected function _addContextSwitches(string $content): string { - return preg_replace_callback('#(]*)|config->context = \'CSS\'; ?>' . $match[2] . 'config->context = \'HTML\'; ?>"'; + }, $content); + + // Inline scripts. + $content = preg_replace_callback('#(?<=\s)(href="javascript:|on[a-z]+=")([^"]*?)"#i', function($match) { + return $match[1] . 'config->context = \'JS\'; ?>' . $match[2] . 'config->context = \'HTML\'; ?>"'; + }, $content); + + // + + diff --git a/tests/_data/template/v2contextual.html b/tests/_data/template/v2contextual.html new file mode 100644 index 000000000..e8c690844 --- /dev/null +++ b/tests/_data/template/v2contextual.html @@ -0,0 +1,29 @@ +@version(2) + + + {{ $var }} +

+ +

+ + {{ $var }} + +

+ + + + + + diff --git a/tests/_data/template/v2example.compiled.html b/tests/_data/template/v2example.compiled.html index d4742e251..1c9dce8a3 100644 --- a/tests/_data/template/v2example.compiled.html +++ b/tests/_data/template/v2example.compiled.html @@ -15,16 +15,16 @@ {{ $foo }} -
+ get('foo')): ?> required="required"> - bar[3] === 'da'): ?> required="required" /> + bar[3] === 'da'): ?> required="required" />
baz))): ?> class="foobar"> foo || $__Context->bar): ?>

Hello bar): ?>foo ?? ''; ?>

-

config->context === 'JS' ? escape_js(implode('|', array_map(function($i) { return strtoupper($i); }, $__Context->bar))) : htmlspecialchars(implode('|', array_map(function($i) { return strtoupper($i); }, $__Context->bar)), \ENT_QUOTES, 'UTF-8', false); ?>

+

config->context === 'HTML' ? htmlspecialchars(implode('|', array_map(function($i) { return strtoupper($i); }, $__Context->bar)), \ENT_QUOTES, 'UTF-8', false) : $this->_v2_escape(implode('|', array_map(function($i) { return strtoupper($i); }, $__Context->bar))); ?>

@@ -33,7 +33,7 @@
nosuchvar)): ?> unit tests are cool - k >= 2): ?>class="config->context === 'JS' ? escape_js($__Context->val ?? '') : htmlspecialchars($__Context->val ?? '', \ENT_QUOTES, 'UTF-8', false); ?>"> + k >= 2): ?>class="config->context === 'HTML' ? htmlspecialchars($__Context->val ?? '', \ENT_QUOTES, 'UTF-8', false) : $this->_v2_escape($__Context->val ?? ''); ?>">
_v2_incrLoopVar($__loop_RANDOM_LOOP_ID); endforeach; $this->_v2_removeLoopVar($__loop_RANDOM_LOOP_ID); unset($__loop_RANDOM_LOOP_ID); else: ?>
Nothing here...
@@ -42,8 +42,8 @@ _v2_include("include", $__filename, [(string)$__varname => $__var]); endforeach; })('incl/eachtest', $__Context->bar, 'var'); ?> _v2_include("include", $__filename, [(string)$__varname => $__var]); endforeach; })('incl/eachtest', [], 'anything', 'incl/empty'); ?> - -

The full class name is , config->context === 'JS' ? escape_js(Rhymix\Framework\Push::class) : htmlspecialchars(Rhymix\Framework\Push::class, \ENT_QUOTES, 'UTF-8', false); ?> really.

+_v2_isMobile()): ?> +

The full class name is , config->context === 'HTML' ? htmlspecialchars(Rhymix\Framework\Push::class, \ENT_QUOTES, 'UTF-8', false) : $this->_v2_escape(Rhymix\Framework\Push::class); ?> really.

@@ -60,7 +60,11 @@ ]); ?>>
- +config->context = 'HTML'; ?> + +config->context = 'CSS'; ?>> + body { background-color: config->context === 'HTML' ? htmlspecialchars('#ffffff', \ENT_QUOTES, 'UTF-8', false) : $this->_v2_escape('#ffffff'); ?>; } +config->context = 'HTML'; ?> diff --git a/tests/_data/template/v2example.executed.html b/tests/_data/template/v2example.executed.html index 1baff6af2..3224403f0 100644 --- a/tests/_data/template/v2example.executed.html +++ b/tests/_data/template/v2example.executed.html @@ -60,3 +60,7 @@ const foo = 'FOOFOO\u003C\u0022FOO\u0022\u003EBAR'; const bar = ["Rhy","miX","is","da","BEST!"]; + + diff --git a/tests/_data/template/v2example.html b/tests/_data/template/v2example.html index 2b57d75d1..8335308bf 100644 --- a/tests/_data/template/v2example.html +++ b/tests/_data/template/v2example.html @@ -64,3 +64,7 @@ const foo = '{{ $foo }}'; const bar = @json($bar); + + diff --git a/tests/unit/framework/parsers/TemplateParserV2Test.php b/tests/unit/framework/parsers/TemplateParserV2Test.php index e6c7b0d9c..ce6e68ab7 100644 --- a/tests/unit/framework/parsers/TemplateParserV2Test.php +++ b/tests/unit/framework/parsers/TemplateParserV2Test.php @@ -248,11 +248,39 @@ class TemplateParserV2Test extends \Codeception\Test\Unit $this->assertEquals($target, $this->_parse($source)); } + public function testContextSwitches() + { + // '; + $target = ''; + $this->assertEquals($target, $this->_parse($source, true, false)); + + // Inline script in link href + $source = 'Hello'; + $target = 'Hello'; + $this->assertEquals($target, $this->_parse($source, true, false)); + + // Inline script in event handler + $source = '
Hello
'; + $target = '
Hello
'; + $this->assertEquals($target, $this->_parse($source, true, false)); + + // '; + $target = 'config->context = \'CSS\'; ?>> body { font-size: 16px; } config->context = \'HTML\'; ?>'; + $this->assertEquals($target, $this->_parse($source, true, false)); + + // Inline style + $source = '
'; + $target = '
'; + $this->assertEquals($target, $this->_parse($source, true, false)); + } + public function testEchoStatements() { // Basic usage of XE-style single braces $source = '{$var}'; - $target = "config->context === 'JS' ? escape_js(\$__Context->var ?? '') : htmlspecialchars(\$__Context->var ?? '', \ENT_QUOTES, 'UTF-8', false); ?>"; + $target = "config->context === 'HTML' ? htmlspecialchars(\$__Context->var ?? '', \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(\$__Context->var ?? ''); ?>"; $this->assertEquals($target, $this->_parse($source)); // Single braces with space at beginning will not be parsed @@ -262,22 +290,22 @@ class TemplateParserV2Test extends \Codeception\Test\Unit // Single braces with space at end are OK $source = '{$var }'; - $target = "config->context === 'JS' ? escape_js(\$__Context->var ?? '') : htmlspecialchars(\$__Context->var ?? '', \ENT_QUOTES, 'UTF-8', false); ?>"; + $target = "config->context === 'HTML' ? htmlspecialchars(\$__Context->var ?? '', \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(\$__Context->var ?? ''); ?>"; $this->assertEquals($target, $this->_parse($source)); // Correct handling of object property and array access $source = '{Context::getRequestVars()->$foo[$bar]}'; - $target = "config->context === 'JS' ? escape_js(Context::getRequestVars()->{\$__Context->foo}[\$__Context->bar]) : htmlspecialchars(Context::getRequestVars()->{\$__Context->foo}[\$__Context->bar], \ENT_QUOTES, 'UTF-8', false); ?>"; + $target = "config->context === 'HTML' ? htmlspecialchars(Context::getRequestVars()->{\$__Context->foo}[\$__Context->bar], \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(Context::getRequestVars()->{\$__Context->foo}[\$__Context->bar]); ?>"; $this->assertEquals($target, $this->_parse($source)); // Basic usage of Blade-style double braces $source = '{{ $var }}'; - $target = "config->context === 'JS' ? escape_js(\$__Context->var ?? '') : htmlspecialchars(\$__Context->var ?? '', \ENT_QUOTES, 'UTF-8', false); ?>"; + $target = "config->context === 'HTML' ? htmlspecialchars(\$__Context->var ?? '', \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(\$__Context->var ?? ''); ?>"; $this->assertEquals($target, $this->_parse($source)); // Double braces without spaces are OK $source = '{{$var}}'; - $target = "config->context === 'JS' ? escape_js(\$__Context->var ?? '') : htmlspecialchars(\$__Context->var ?? '', \ENT_QUOTES, 'UTF-8', false); ?>"; + $target = "config->context === 'HTML' ? htmlspecialchars(\$__Context->var ?? '', \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(\$__Context->var ?? ''); ?>"; $this->assertEquals($target, $this->_parse($source)); // Literal double braces @@ -297,7 +325,7 @@ class TemplateParserV2Test extends \Codeception\Test\Unit // Multiline echo statement $source = '{{ $foo ?' . "\n" . ' date($foo) :' . "\n" . ' toBool($bar) }}'; - $target = "config->context === 'JS' ? escape_js(\$__Context->foo ? date(\$__Context->foo) : toBool(\$__Context->bar)) : htmlspecialchars(\$__Context->foo ?\n date(\$__Context->foo) :\n toBool(\$__Context->bar), \ENT_QUOTES, 'UTF-8', false); ?>"; + $target = "config->context === 'HTML' ? htmlspecialchars(\$__Context->foo ?\n date(\$__Context->foo) :\n toBool(\$__Context->bar), \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(\$__Context->foo ? date(\$__Context->foo) : toBool(\$__Context->bar)); ?>"; $this->assertEquals($target, $this->_parse($source)); } @@ -339,11 +367,11 @@ class TemplateParserV2Test extends \Codeception\Test\Unit $this->assertEquals($target, $this->_parse($source)); $source = '{{ $lang->cmd_hello_world }}'; - $target = "config->context === 'JS' ? escape_js(\$__Context->lang->cmd_hello_world) : (\$__Context->lang->cmd_hello_world); ?>"; + $target = "config->context === 'HTML' ? (\$__Context->lang->cmd_hello_world) : \$this->_v2_escape(\$__Context->lang->cmd_hello_world); ?>"; $this->assertEquals($target, $this->_parse($source)); $source = '{{ $user_lang->user_lang_1234567890 }}'; - $target = "config->context === 'JS' ? escape_js(\$__Context->user_lang->user_lang_1234567890 ?? '') : (\$__Context->user_lang->user_lang_1234567890 ?? ''); ?>"; + $target = "config->context === 'HTML' ? (\$__Context->user_lang->user_lang_1234567890 ?? '') : \$this->_v2_escape(\$__Context->user_lang->user_lang_1234567890 ?? ''); ?>"; $this->assertEquals($target, $this->_parse($source)); // Escape @@ -366,11 +394,6 @@ class TemplateParserV2Test extends \Codeception\Test\Unit $target = "foo ?? ''); ?>"; $this->assertEquals($target, $this->_parse($source)); - // Context-aware escape - $source = ''; - $target = ''; - $this->assertEquals($target, $this->_parse($source)); - // JSON using context-aware escape $source = '{{ $foo|json }}'; $target = implode('', [ @@ -382,12 +405,12 @@ class TemplateParserV2Test extends \Codeception\Test\Unit // strip_tags $source = '{{ $foo|strip }}'; - $target = "config->context === 'JS' ? escape_js(strip_tags(\$__Context->foo ?? '')) : htmlspecialchars(strip_tags(\$__Context->foo ?? ''), \ENT_QUOTES, 'UTF-8', false); ?>"; + $target = "config->context === 'HTML' ? htmlspecialchars(strip_tags(\$__Context->foo ?? ''), \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(strip_tags(\$__Context->foo ?? '')); ?>"; $this->assertEquals($target, $this->_parse($source)); // strip_tags (alternate name) $source = '{{ $foo|upper|strip_tags }}'; - $target = "config->context === 'JS' ? escape_js(strip_tags(strtoupper(\$__Context->foo ?? ''))) : htmlspecialchars(strip_tags(strtoupper(\$__Context->foo ?? '')), \ENT_QUOTES, 'UTF-8', false); ?>"; + $target = "config->context === 'HTML' ? htmlspecialchars(strip_tags(strtoupper(\$__Context->foo ?? '')), \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(strip_tags(strtoupper(\$__Context->foo ?? ''))); ?>"; $this->assertEquals($target, $this->_parse($source)); // Trim @@ -397,12 +420,12 @@ class TemplateParserV2Test extends \Codeception\Test\Unit // URL encode $source = '{{ $foo|trim|urlencode }}'; - $target = "config->context === 'JS' ? escape_js(rawurlencode(trim(\$__Context->foo ?? ''))) : htmlspecialchars(rawurlencode(trim(\$__Context->foo ?? '')), \ENT_QUOTES, 'UTF-8', false); ?>"; + $target = "config->context === 'HTML' ? htmlspecialchars(rawurlencode(trim(\$__Context->foo ?? '')), \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(rawurlencode(trim(\$__Context->foo ?? ''))); ?>"; $this->assertEquals($target, $this->_parse($source)); // Lowercase $source = '{{ $foo|trim|lower }}'; - $target = "config->context === 'JS' ? escape_js(strtolower(trim(\$__Context->foo ?? ''))) : htmlspecialchars(strtolower(trim(\$__Context->foo ?? '')), \ENT_QUOTES, 'UTF-8', false); ?>"; + $target = "config->context === 'HTML' ? htmlspecialchars(strtolower(trim(\$__Context->foo ?? '')), \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(strtolower(trim(\$__Context->foo ?? ''))); ?>"; $this->assertEquals($target, $this->_parse($source)); // Uppercase @@ -422,37 +445,37 @@ class TemplateParserV2Test extends \Codeception\Test\Unit // Array join (default joiner is comma) $source = '{{ $foo|join }}'; - $target = "config->context === 'JS' ? escape_js(implode(', ', \$__Context->foo ?? '')) : htmlspecialchars(implode(', ', \$__Context->foo ?? ''), \ENT_QUOTES, 'UTF-8', false); ?>"; + $target = "config->context === 'HTML' ? htmlspecialchars(implode(', ', \$__Context->foo ?? ''), \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(implode(', ', \$__Context->foo ?? '')); ?>"; $this->assertEquals($target, $this->_parse($source)); // Array join (custom joiner) $source = '{{ $foo|join:"!@!" }}'; - $target = "config->context === 'JS' ? escape_js(implode(\"!@!\", \$__Context->foo ?? '')) : htmlspecialchars(implode(\"!@!\", \$__Context->foo ?? ''), \ENT_QUOTES, 'UTF-8', false); ?>"; + $target = "config->context === 'HTML' ? htmlspecialchars(implode(\"!@!\", \$__Context->foo ?? ''), \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(implode(\"!@!\", \$__Context->foo ?? '')); ?>"; $this->assertEquals($target, $this->_parse($source)); // Date conversion (default format) $source = '{{ $item->regdate | date }}'; - $target = "config->context === 'JS' ? escape_js(getDisplayDateTime(ztime(\$__Context->item->regdate ?? ''), 'Y-m-d H:i:s')) : htmlspecialchars(getDisplayDateTime(ztime(\$__Context->item->regdate ?? ''), 'Y-m-d H:i:s'), \ENT_QUOTES, 'UTF-8', false); ?>"; + $target = "config->context === 'HTML' ? htmlspecialchars(getDisplayDateTime(ztime(\$__Context->item->regdate ?? ''), 'Y-m-d H:i:s'), \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(getDisplayDateTime(ztime(\$__Context->item->regdate ?? ''), 'Y-m-d H:i:s')); ?>"; $this->assertEquals($target, $this->_parse($source)); // Date conversion (custom format) $source = "{{ \$item->regdate | date:'n/j H:i' }}"; - $target = "config->context === 'JS' ? escape_js(getDisplayDateTime(ztime(\$__Context->item->regdate ?? ''), 'n/j H:i')) : htmlspecialchars(getDisplayDateTime(ztime(\$__Context->item->regdate ?? ''), 'n/j H:i'), \ENT_QUOTES, 'UTF-8', false); ?>"; + $target = "config->context === 'HTML' ? htmlspecialchars(getDisplayDateTime(ztime(\$__Context->item->regdate ?? ''), 'n/j H:i'), \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(getDisplayDateTime(ztime(\$__Context->item->regdate ?? ''), 'n/j H:i')); ?>"; $this->assertEquals($target, $this->_parse($source)); // Date conversion (custom format in variable) $source = "{{ \$item->regdate | date:\$format }}"; - $target = "config->context === 'JS' ? escape_js(getDisplayDateTime(ztime(\$__Context->item->regdate ?? ''), \$__Context->format)) : htmlspecialchars(getDisplayDateTime(ztime(\$__Context->item->regdate ?? ''), \$__Context->format), \ENT_QUOTES, 'UTF-8', false); ?>"; + $target = "config->context === 'HTML' ? htmlspecialchars(getDisplayDateTime(ztime(\$__Context->item->regdate ?? ''), \$__Context->format), \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(getDisplayDateTime(ztime(\$__Context->item->regdate ?? ''), \$__Context->format)); ?>"; $this->assertEquals($target, $this->_parse($source)); // Number format $source = '{{ $num | format }}'; - $target = "config->context === 'JS' ? escape_js(number_format(\$__Context->num ?? '')) : htmlspecialchars(number_format(\$__Context->num ?? ''), \ENT_QUOTES, 'UTF-8', false); ?>"; + $target = "config->context === 'HTML' ? htmlspecialchars(number_format(\$__Context->num ?? ''), \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(number_format(\$__Context->num ?? '')); ?>"; $this->assertEquals($target, $this->_parse($source)); // Number format (alternate name) $source = '{{ $num | number_format }}'; - $target = "config->context === 'JS' ? escape_js(number_format(\$__Context->num ?? '')) : htmlspecialchars(number_format(\$__Context->num ?? ''), \ENT_QUOTES, 'UTF-8', false); ?>"; + $target = "config->context === 'HTML' ? htmlspecialchars(number_format(\$__Context->num ?? ''), \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(number_format(\$__Context->num ?? '')); ?>"; $this->assertEquals($target, $this->_parse($source)); // Number format (custom format) @@ -573,7 +596,7 @@ class TemplateParserV2Test extends \Codeception\Test\Unit // Script tag with external path $source = ''; - $target = ''; + $target = ''; $this->assertEquals($target, $this->_parse($source)); // Absolute URL @@ -797,7 +820,7 @@ class TemplateParserV2Test extends \Codeception\Test\Unit ]); $target = implode("\n", [ "_v2_errorExists('email', 'login')): ?>", - "config->context === 'JS' ? escape_js(\$__Context->message ?? '') : htmlspecialchars(\$__Context->message ?? '', \ENT_QUOTES, 'UTF-8', false); ?>", + "config->context === 'HTML' ? htmlspecialchars(\$__Context->message ?? '', \ENT_QUOTES, 'UTF-8', false) : \$this->_v2_escape(\$__Context->message ?? ''); ?>", '', ]); $this->assertEquals($target, $this->_parse($source)); @@ -858,10 +881,10 @@ class TemplateParserV2Test extends \Codeception\Test\Unit '@endmobile', ]); $target = implode("\n", [ - "", + '_v2_isMobile()): ?>', '

4K or GTFO!

', '', - "", + '_v2_isMobile()): ?>', '

USB C is the way to go~

', '', ]); @@ -976,17 +999,17 @@ class TemplateParserV2Test extends \Codeception\Test\Unit // Lang code with variable as name $source = '@lang($var->name)'; - $target = 'config->context === \'JS\' ? escape_js($this->_v2_lang($__Context->var->name)) : $this->_v2_lang($__Context->var->name); ?>'; + $target = 'config->context === \'HTML\' ? $this->_v2_lang($__Context->var->name) : $this->_v2_escape($this->_v2_lang($__Context->var->name)); ?>'; $this->assertEquals($target, $this->_parse($source)); // Lang code with literal name and variable $source = "@lang('board.cmd_list_items', \$var)"; - $target = "config->context === 'JS' ? escape_js(\$this->_v2_lang('board.cmd_list_items', \$__Context->var)) : \$this->_v2_lang('board.cmd_list_items', \$__Context->var); ?>"; + $target = "config->context === 'HTML' ? \$this->_v2_lang('board.cmd_list_items', \$__Context->var) : \$this->_v2_escape(\$this->_v2_lang('board.cmd_list_items', \$__Context->var)); ?>"; $this->assertEquals($target, $this->_parse($source)); // Lang code with class alias $source = "@use('Rhymix\Framework\Lang', 'Lang')\n" . '

@lang(Lang::getLang())

'; - $target = "\n" . '

config->context === \'JS\' ? escape_js($this->_v2_lang(Rhymix\Framework\Lang::getLang())) : $this->_v2_lang(Rhymix\Framework\Lang::getLang()); ?>

'; + $target = "\n" . '

config->context === \'HTML\' ? $this->_v2_lang(Rhymix\Framework\Lang::getLang()) : $this->_v2_escape($this->_v2_lang(Rhymix\Framework\Lang::getLang())); ?>

'; $this->assertEquals($target, $this->_parse($source)); // Dump one variable @@ -1001,12 +1024,17 @@ class TemplateParserV2Test extends \Codeception\Test\Unit // URL $source = "@url(['mid' => 'foo', 'act' => 'dispBoardWrite'])"; - $target = "config->context === 'JS' ? escape_js(getNotEncodedUrl(['mid' => 'foo', 'act' => 'dispBoardWrite'])) : getUrl(['mid' => 'foo', 'act' => 'dispBoardWrite']); ?>"; + $target = "config->context === 'HTML' ? getUrl(['mid' => 'foo', 'act' => 'dispBoardWrite']) : \$this->_v2_escape(getNotEncodedUrl(['mid' => 'foo', 'act' => 'dispBoardWrite'])); ?>"; $this->assertEquals($target, $this->_parse($source)); // URL old-style with variables $source = "@url('', 'mid', \$mid, 'act', \$act])"; - $target = "config->context === 'JS' ? escape_js(getNotEncodedUrl('', 'mid', \$__Context->mid, 'act', \$__Context->act])) : getUrl('', 'mid', \$__Context->mid, 'act', \$__Context->act]); ?>"; + $target = "config->context === 'HTML' ? getUrl('', 'mid', \$__Context->mid, 'act', \$__Context->act]) : \$this->_v2_escape(getNotEncodedUrl('', 'mid', \$__Context->mid, 'act', \$__Context->act])); ?>"; + $this->assertEquals($target, $this->_parse($source)); + + // Widget + $source = "@widget('login_info', ['skin' => 'default'])"; + $target = "execute('login_info', ['skin' => 'default']); ?>"; $this->assertEquals($target, $this->_parse($source)); } @@ -1197,6 +1225,24 @@ class TemplateParserV2Test extends \Codeception\Test\Unit $this->assertStringContainsString('/tests/_data/template/css/style.scss', array_first($list)['file']); } + public function testCompileContextualEscape() + { + // Contextual escape + $tmpl = new \Rhymix\Framework\Template('./tests/_data/template', 'v2contextual.html'); + $tmpl->disableCache(); + $tmpl->setVars([ + 'var' => 'Hello <"world"> (\'string\') variable.jpg' + ]); + + $executed_output = $tmpl->compile(); + //Rhymix\Framework\Storage::write(\RX_BASEDIR . 'tests/_data/template/v2contextual.executed.html', $executed_output); + $expected = file_get_contents(\RX_BASEDIR . 'tests/_data/template/v2contextual.executed.html'); + $this->assertEquals( + $this->_normalizeWhitespace($expected), + $this->_normalizeWhitespace($executed_output) + ); + } + public function testCompileLang() { // Lang @@ -1295,9 +1341,10 @@ class TemplateParserV2Test extends \Codeception\Test\Unit * * @param string $source * @param bool $force_v2 Disable version detection + * @param bool $remove_context_switches Remove context switches that make code difficult to read * @return string */ - protected function _parse(string $source, bool $force_v2 = true): string + protected function _parse(string $source, bool $force_v2 = true, bool $remove_context_switches = true): string { $tmpl = new \Rhymix\Framework\Template('./tests/_data/template', 'empty.html'); if ($force_v2) @@ -1309,6 +1356,13 @@ class TemplateParserV2Test extends \Codeception\Test\Unit { $result = substr($result, strlen($this->prefix)); } + + // Remove context switches. + if ($remove_context_switches) + { + $result = preg_replace('#<\?php \$this->config->context = \'[A-Z]+\'; \?>#', '', $result); + } + return $result; } diff --git a/tests/unit/functions/FunctionsTest.php b/tests/unit/functions/FunctionsTest.php index d9657c2f5..000fe451f 100644 --- a/tests/unit/functions/FunctionsTest.php +++ b/tests/unit/functions/FunctionsTest.php @@ -50,8 +50,10 @@ class FunctionsTest extends \Codeception\Test\Unit $this->assertEquals('$user_lang->userLang1234567890', escape('$user_lang->userLang1234567890', true, false)); $this->assertEquals('$user_lang->userLang1234567890', escape('$user_lang->userLang1234567890', true, true)); - $this->assertEquals('expressionalertXSS', escape_css('expression:alert("XSS")')); + $this->assertEquals('expressionalert(XSS)', escape_css('expression:alert("XSS")')); $this->assertEquals('#123456', escape_css('#123456')); + $this->assertEquals('16px/160% Segoe UI, sans-serif font-style', escape_css('16px/160% Segoe UI, sans-serif; font-style')); + $this->assertEquals('box-shadow(0 1px 2px rgba(0, 0, 0, 0.15)', escape_css('box-shadow(0 1px 2px rgba(0, 0, 0, "0.15")')); $this->assertEquals('hello\\\\world', escape_js('hello\\world')); $this->assertEquals('\u003Cbr \/\u003E', escape_js('
'));