Skip to content

Commit

Permalink
prevent attributes from leaking
Browse files Browse the repository at this point in the history
  • Loading branch information
@withinboredom
withinboredom committed Oct 29, 2023
1 parent 2f49185 commit b4d3c68
Showing 1 changed file with 10 additions and 6 deletions.
16 changes: 10 additions & 6 deletions src/Template/Parser/StreamingCompiler.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ private function renderCharacterReference($document): Document

private function escapeData(int $selectionStart, Document $document): Closure
{
if($this->blockAttributes) {
if ($this->blockAttributes) {
return static fn(Closure $x) => $x($document);
}
$end = $document->mark() - 1;
Expand Down Expand Up @@ -426,13 +426,17 @@ private function renderOpenTagName(Document $document): Document
$starting = $document->mark();
$this->lastTagOpenOpen = $starting - 1;

if (!$this->blockAttributes) {
$this->attributes = [];
}

$document = $this->renderTagName($document);

switch ($tag = mb_strtolower($this->nameBuffer)) {
case 'title':
case 'textarea':
$this->mustMatch = $tag;
if($this->blockAttributes) {
if ($this->blockAttributes) {
return $this->renderRCData($document);
}
$now = $document->mark();
Expand All @@ -441,7 +445,7 @@ private function renderOpenTagName(Document $document): Document
->insert($this->blobber->replaceBlobs($output, $this->escaper->escapeHtml(...)), $now);
case 'style':
$this->mustMatch = $tag;
if($this->blockAttributes) {
if ($this->blockAttributes) {
return $this->renderRawText($document);
}
$now = $document->mark();
Expand All @@ -456,7 +460,7 @@ private function renderOpenTagName(Document $document): Document
case 'plaintext':
case 'noframes':
$this->mustMatch = $tag;
if($this->blockAttributes) {
if ($this->blockAttributes) {
return $this->renderRawText($document);
}
$now = $document->mark();
Expand All @@ -465,7 +469,7 @@ private function renderOpenTagName(Document $document): Document
->insert($this->blobber->replaceBlobs($output, $this->escaper->escapeHtml(...)), $now);
case 'script':
$this->mustMatch = $tag;
if($this->blockAttributes) {
if ($this->blockAttributes) {
return $this->renderScriptData($document);
}
$now = $document->mark();
Expand Down Expand Up @@ -1195,7 +1199,7 @@ private function renderAfterAttributeValueQuoted(Document $document): Document

private function processAttributes(Document $document): Document
{
if($this->blockAttributes) {
if ($this->blockAttributes) {
return $document;
}

Expand Down

0 comments on commit b4d3c68

Please sign in to comment.