diff --git a/src/TwigExtra/src/Twig/Extension/TestFormAttributeExtension.php b/src/TwigExtra/src/Twig/Extension/TestFormAttributeExtension.php index 5cad3403..2079cdec 100644 --- a/src/TwigExtra/src/Twig/Extension/TestFormAttributeExtension.php +++ b/src/TwigExtra/src/Twig/Extension/TestFormAttributeExtension.php @@ -43,7 +43,9 @@ function (array $attributes): array { $result = []; foreach ($attributes as $name => $value) { - $result[sprintf('data-test-%s', $name)] = (string) $value; + $escapedValue = htmlspecialchars((string) $value, \ENT_QUOTES | \ENT_SUBSTITUTE, 'UTF-8'); + + $result[sprintf('data-test-%s', $name)] = $escapedValue; } return ['attr' => $result]; @@ -59,7 +61,9 @@ function (array $attributes): array { public function getTestFormAttribute(string $name, ?string $value = null): array { if (str_starts_with($this->environment, 'test') || $this->isDebugEnabled) { - return ['attr' => ['data-test-' . $name => (string) $value]]; + $escapedValue = htmlspecialchars((string) $value, \ENT_QUOTES | \ENT_SUBSTITUTE, 'UTF-8'); + + return ['attr' => ['data-test-' . $name => $escapedValue]]; } return []; diff --git a/src/TwigExtra/src/Twig/Extension/TestHtmlAttributeExtension.php b/src/TwigExtra/src/Twig/Extension/TestHtmlAttributeExtension.php index 6e092d43..9971842a 100644 --- a/src/TwigExtra/src/Twig/Extension/TestHtmlAttributeExtension.php +++ b/src/TwigExtra/src/Twig/Extension/TestHtmlAttributeExtension.php @@ -32,7 +32,9 @@ public function getFunctions(): array 'sylius_test_html_attribute', function (string $name, ?string $value = null): string { if (str_starts_with($this->environment, 'test') || $this->isDebugEnabled) { - return sprintf('data-test-%s="%s"', $name, (string) $value); + $escapedValue = htmlspecialchars((string) $value, \ENT_QUOTES | \ENT_SUBSTITUTE, 'UTF-8'); + + return sprintf('data-test-%s="%s"', $name, $escapedValue); } return ''; diff --git a/src/TwigExtra/tests/Unit/Twig/Extension/TestFormAttributeExtensionTest.php b/src/TwigExtra/tests/Unit/Twig/Extension/TestFormAttributeExtensionTest.php index 126d7fbc..6a7edcd2 100644 --- a/src/TwigExtra/tests/Unit/Twig/Extension/TestFormAttributeExtensionTest.php +++ b/src/TwigExtra/tests/Unit/Twig/Extension/TestFormAttributeExtensionTest.php @@ -142,4 +142,17 @@ public function testItsTestFormAttributesTwigFunctionIsSafeForHtml(): void $this->assertEquals(['html'], $twigFunction->getSafe(new Node())); } + + public function testItsTestFormAttributeEscapesHtmlSpecialCharacters(): void + { + $twigFunction = (new TestFormAttributeExtension('test', false))->getFunctions()[0]; + $callable = $twigFunction->getCallable(); + + $this->assertIsCallable($callable); + + $input = '\'" onmouseover="alert(1)'; + $expected = ['attr' => ['data-test-comment' => ''" onmouseover="alert(1)']]; + + $this->assertEquals($expected, ($callable)('comment', $input)); + } } diff --git a/src/TwigExtra/tests/Unit/Twig/Extension/TestHtmlAttributeExtensionTest.php b/src/TwigExtra/tests/Unit/Twig/Extension/TestHtmlAttributeExtensionTest.php index fd7cba32..996887ee 100644 --- a/src/TwigExtra/tests/Unit/Twig/Extension/TestHtmlAttributeExtensionTest.php +++ b/src/TwigExtra/tests/Unit/Twig/Extension/TestHtmlAttributeExtensionTest.php @@ -74,4 +74,17 @@ public function testItsTwigFunctionIsSafeForHtml(): void $this->assertEquals(['html'], $twigFunction->getSafe(new Node())); } + + public function testItsTwigFunctionEscapesHtmlSpecialChars(): void + { + $twigFunction = (new TestHtmlAttributeExtension('test', false))->getFunctions()[0]; + $callable = $twigFunction->getCallable(); + + $this->assertIsCallable($callable); + + $input = '">assertEquals($expectedEscaped, ($callable)('comment', $input)); + } }