Merge pull request phalcon#11300 from sergeyklay/tag/get_title

Now a title will be automatically escaped
Alive2212 · Jan 13, 2016 · 2f734ce · 2f734ce
2 parents e7bb2ca + ad5a553
commit 2f734ce
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 - Added quoting column in `Phalcon\Db\Dialect\MySQL::addColumn` when define position of the column
 - Added support to define position of the column in `Phalcon\Db\Dialect\MySQL::modifyColumn`
 - Fixed `Phalcon\Mvc\Model\Query\Builder` bug[#11298] related to resetting limit to null
+- Fixed `Phalcon\Tag::getTitle` bug[#11185]. Now a title will be automatically escaped.
 
 # [2.0.9](https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.9) (2015-11-24)
 - Fixed bug that double serializes data using Redis adapter

diff --git a/phalcon/tag.zep b/phalcon/tag.zep
@@ -1076,7 +1076,8 @@ class Tag
 	}
 
 	/**
-	 * Gets the current document title
+	 * Gets the current document title.
+	 * The title will be automatically escaped.
 	 *
 	 * <code>
 	 * 	echo Phalcon\Tag::getTitle();
@@ -1088,11 +1089,15 @@ class Tag
 	 */
 	public static function getTitle(boolean tags = true) -> string
 	{
-		var documentTitle;
-		let documentTitle = self::_documentTitle;
+		var documentTitle, escaper;
+
+		let escaper = <EscaperInterface> self::getEscaper(["escape": true]);
+		let documentTitle = escaper->escapeHtml(self::_documentTitle);
+
 		if tags {
 			return "<title>" . documentTitle . "</title>" . PHP_EOL;
 		}
+
 		return documentTitle;
 	}
 

diff --git a/tests/unit/Phalcon/Tag/TagTitleTest.php b/tests/unit/Phalcon/Tag/TagTitleTest.php
@@ -7,7 +7,7 @@
  *
  * Phalcon Framework
  *
- * @copyright (c) 2011-2014 Phalcon Team
+ * @copyright (c) 2011-2016 Phalcon Team
  * @link      http://www.phalconphp.com
  * @author    Andres Gutierrez <andres@phalconphp.com>
  * @author    Nikolaos Dimopoulos <nikos@phalconphp.com>
@@ -26,6 +26,31 @@
 
 class TagTitleTest extends Helper\TagBase
 {
+    /**
+     * Tests malicious content in the title
+     *
+     * @issue  11185
+     * @author Serghei Iakovlev <serghei@phalconphp.com>
+     * @since  2016-01-13
+     */
+    public function testGetTitleWithoutMaliciousContent()
+    {
+        $this->specify(
+            "getTitle returns malicious content",
+            function () {
+
+                PhTTag::resetInput();
+                $value = "Hello </title><script>alert('Got your nose!');</script><title>";
+
+                PhTTag::setTitle($value);
+
+                $expected = "<title>Hello &lt;/title&gt;&lt;script&gt;alert(&#039;Got your nose!&#039;);&lt;/script&gt;&lt;title&gt;</title>" . PHP_EOL;
+                $actual   = PhTTag::getTitle();
+
+                expect($actual)->equals($expected);
+            }
+        );
+    }
 
     /**
      * Tests setTitle