latte icon indicating copy to clipboard operation
latte copied to clipboard

Published 20 hours ago verified publisher icon nette

Context Aware Escaping in href attr returns empty string.

Open peldax opened this issue 7 years ago • 1 comments

  • bug report? yes
  • feature request? no
  • version: 2.4.5

Description/Steps to reproduce

<link rel="stylesheet" type="text/css" href="/css/presenter/{$presenter->getName()}"/>

produces following output

<link rel="stylesheet" type="text/css" href="/css/presenter/<?php echo LR\Filters::escapeHtmlAttr(LR\Filters::safeUrl($presenter->getName())) ?>.css">

Latte compiler understands that it is escaping href attribute and escapes variable using safeUrl. SafeUrl checks for regex and, in this case, returns empty string.

I believe safeUrl filter should be applied on complete value of href attribute.

Work around:

{var presenterStyle = '/css/presenter/' . $presenter->getName() . '.css'}
<link rel="stylesheet" type="text/css" href="{$presenterStyle}"/>

Appendix

Fix to this issue is somewhat complicated and I do not dare do it myself - I do not fully understand Latte Compiler. Plus, I am not sure if its worth investing time in, because workaround is short and clean.

peldax avatar Aug 21 '17 09:08 peldax

Easier workaround is <link rel="stylesheet" type="text/css" href="/css/presenter/{$presenter->getName()|nocheck}"/>

dg avatar Aug 21 '17 17:08 dg

Fixed in Latte 3

dg avatar Nov 08 '23 18:11 dg