escaping is mandatory in HtmlAttributeUnquoted & HtmlComment

dg · dg · commit f3bf01a6fbf4 · 2023-01-03T01:49:25.000Z
diff --git a/src/Latte/Compiler/Escaper.php b/src/Latte/Compiler/Escaper.php
@@ -230,17 +230,19 @@ public function escape(string $str): string
 	}
 
 
-	public function escapeMandatory(string $str): string
+	public function escapeMandatory(string $str, ?Position $position = null): string
 	{
 		$quote = var_export($this->quote, true);
 		return match ($this->contentType) {
 			ContentType::Html => match ($this->state) {
 				self::HtmlAttributeQuoted => "LR\\Filters::escapeHtmlChar($str, $quote)",
 				self::HtmlRawText => "LR\\Filters::convertJSToHtmlRawText((string) $str)",
+				self::HtmlAttributeUnquoted, self::HtmlComment => throw new Latte\CompileException('Using |noescape is not allowed in this context.', $position),
 				default => $str,
 			},
 			ContentType::Xml => match ($this->state) {
 				self::HtmlAttributeQuoted => "LR\\Filters::escapeHtmlChar($str, $quote)",
+				self::HtmlAttributeUnquoted, self::HtmlComment => throw new Latte\CompileException('Using |noescape is not allowed in this context.', $position),
 				default => $str,
 			},
 			default => $str,
diff --git a/src/Latte/Compiler/Nodes/Php/ModifierNode.php b/src/Latte/Compiler/Nodes/Php/ModifierNode.php
@@ -70,7 +70,7 @@ public function printSimple(PrintContext $context, string $expr): string
 
 		$expr = $escape
 			? $escaper->escape($expr)
-			: $escaper->escapeMandatory($expr);
+			: $escaper->escapeMandatory($expr, $this->position);
 
 		return $expr;
 	}
diff --git a/tests/common/Compiler.noescape.phpt b/tests/common/Compiler.noescape.phpt
@@ -33,9 +33,10 @@ Assert::match(
 );
 
 // attribute unquoted values
-Assert::match(
-	'<p title=foo a=\'a\' b="b">></p>',
-	$latte->renderToString('<p title={="foo a=\'a\' b=\"b\">"|noescape}></p>'),
+Assert::exception(
+	fn() => $latte->renderToString('<p title={="foo a=\'a\' b=\"b\">"|noescape}></p>'),
+	Latte\CompileException::class,
+	'Using |noescape is not allowed in this context (on line 1 at column 32)',
 );
 
 // attribute quoted values
@@ -58,3 +59,10 @@ Assert::match(
 	'<p onclick="foo a=\'a\' b=&quot;b&quot;>"></p>',
 	$latte->renderToString('<p onclick="{="foo a=\'a\' b=\"b\">"|noescape}"></p>'),
 );
+
+// comment
+Assert::exception(
+	fn() => $latte->renderToString('<!-- {="-->"|noescape} -->'),
+	Latte\CompileException::class,
+	'Using |noescape is not allowed in this context (on line 1 at column 13)',
+);

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ public function printSimple(PrintContext $context, string $expr): string`
`70`	`70`
`71`	`71`	`$expr = $escape`
`72`	`72`	`? $escaper->escape($expr)`
`73`		`- : $escaper->escapeMandatory($expr);`
	`73`	`+ : $escaper->escapeMandatory($expr, $this->position);`
`74`	`74`
`75`	`75`	`return $expr;`
`76`	`76`	`}`