Skip to content

Autoescaping improvements#577

Merged
dave-irvine merged 3 commits into
twigjs:masterfrom
ollien:master
Aug 9, 2018
Merged

Autoescaping improvements#577
dave-irvine merged 3 commits into
twigjs:masterfrom
ollien:master

Conversation

@ollien
Copy link
Copy Markdown
Contributor

@ollien ollien commented Aug 3, 2018

Twig.js's autoescaping currently has some potentially unexpected behavior.

When autoescaping, the returned string object has a twig_markup value of true, which is unexpected and currently breaks certain usages of the twig module. For instance, you cannot insert this String as-is to your DOM, and must first call .valueOf(). I've changed the output to always return a properly formatted string, rather than this String object. This should not break any existing code, as you can still call .valueOf() on this newly returned string.

The more glaring problem however, is that the current version of twig.js doubly-escapes strings marked as html_attr with the html strategy. PHP Twig does not do this. I've added a fix for this.

Here's a quick demo of the problem. Given this template

{{ foo }}
{{ bar|escape('html_attr') }}

I've written the following test scripts in Node,

let twig = require('./src/twig.js');
let fs = require('fs');

let templateFile = fs.readFileSync('../twig-test/templates/test.html.twig', {encoding: 'utf-8'});
let template = twig.twig({data: templateFile, autoescape: 'html'});
console.log(template.render({foo: '<script>alert("hi!")</script>', bar: '" onclick="alert(\\"html_attr\\")"'}));

and in PHP.

<?php

require_once 'vendor/autoload.php';

$loader = new Twig_Loader_Filesystem('templates');
$twig = new Twig_Environment($loader, ['autoescape' => 'html']);
$template = $twig->load('test.html.twig');
echo $template->render(['foo' => '<script>alert("hi!")</script>', 'bar' => '" onclick="alert(\"html_attr\")"']);

The Node script output is as follows

&lt;script&gt;alert(&quot;hi!&quot;)&lt;/script&gt;
&amp;quot;&amp;#x20;onclick&amp;#x3D;&amp;quot;alert&amp;#x28;&amp;quot;html_attr&amp;quot;&amp;#x29;&amp;quot;

while the PHP script outputs

&lt;script&gt;alert(&quot;hi!&quot;)&lt;/script&gt;
&quot;&#x20;onclick&#x3D;&quot;alert&#x28;&#x5C;&quot;html_attr&#x5C;&quot;&#x29;&quot;

Note that the inverse operation (i.e. escaping as 'html' while using 'html_attr') does double escape in both twig.js and PHP twig.

@dave-irvine
Copy link
Copy Markdown
Contributor

dave-irvine commented Aug 8, 2018

@ollien Can you write a couple of tests for this? Just something that breaks before your changes and passes after your changes.

@ollien
Copy link
Copy Markdown
Contributor Author

ollien commented Aug 8, 2018

Sure. I'll get that out this afternoon.

@dave-irvine dave-irvine merged commit b8590cd into twigjs:master Aug 9, 2018
@tgabi333 tgabi333 mentioned this pull request Jan 19, 2019
Merged
@ollien ollien mentioned this pull request Jan 31, 2019
Closed
willrowe pushed a commit to willrowe/twig.js that referenced this pull request May 11, 2019
@ollien @willrowe
Autoescaping improvements (twigjs#577)
8d5736c 
* Return value of output instead of string object

* Fix double escaping when using html_attr within html

* Add unit tests for double escaping and string object mangling
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kcostagliola2 kcostagliola2 kcostagliola2 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ollien @dave-irvine @kcostagliola2