[#16123] - corrected attributes escaping - removed array/string check

niden · niden · commit b433316a463e · 2022-09-27T10:15:09.000-04:00
diff --git a/phalcon/Html/Escaper.zep b/phalcon/Html/Escaper.zep
@@ -66,12 +66,8 @@ class Escaper implements EscaperInterface
     {
         var key, result, value;
 
-        if (typeof input !== "string" && typeof input !== "array") {
-            throw new Exception("Input must be an array or a string");
-        }
-
-        if (typeof input === "string") {
-            return this->phpHtmlSpecialChars(input);
+        if likely (typeof input !== "array") {
+            return this->phpHtmlSpecialChars((string) input);
         }
 
         let result = "";
@@ -86,11 +82,11 @@ class Escaper implements EscaperInterface
                 let value = implode(" ", value);
             }
 
-            let result .= this->phpHtmlSpecialChars(key);
+            let result .= this->phpHtmlSpecialChars((string) key);
 
             if (true !== value) {
                 let result .= "=\""
-                    . this->phpHtmlSpecialChars(value)
+                    . this->phpHtmlSpecialChars((string) value)
                     . "\"";
             }
 
diff --git a/tests/unit/Html/Escaper/AttributesCest.php b/tests/unit/Html/Escaper/AttributesCest.php
@@ -77,6 +77,24 @@ private function escaperEscapeHtmlAttrProvider(): array
                 'expected'      => 'That&#039;s right',
                 'text'          => "That's right",
             ],
+            [
+                'htmlQuoteType' => ENT_HTML5,
+                'expected'      => '10',
+                'text'          => 10,
+            ],
+            [
+                'htmlQuoteType' => ENT_HTML5,
+                'expected'      => 'maxlength="10" cols="5" rows="3" min="1" max="100"',
+                'text'          => [
+                    'maxlength'  => 10,
+                    'cols'       => 5,
+                    'rows'       => 3,
+                    'min'        => 1,
+                    'max'        => 100,
+                    'notPrinted'  => false,
+                    'notPrinted2' => null,
+                ],
+            ],
             [
                 'htmlQuoteType' => ENT_HTML5,
                 'expected'      => 'text="Ferrari Ford Dodge"',

Original file line number	Diff line number	Diff line change
`@@ -66,12 +66,8 @@ class Escaper implements EscaperInterface`
`66`	`66`	`{`
`67`	`67`	`var key, result, value;`
`68`	`68`
`69`		`- if (typeof input !== "string" && typeof input !== "array") {`
`70`		`- throw new Exception("Input must be an array or a string");`
`71`		`- }`
`72`		`-`
`73`		`- if (typeof input === "string") {`
`74`		`- return this->phpHtmlSpecialChars(input);`
	`69`	`+ if likely (typeof input !== "array") {`
	`70`	`+ return this->phpHtmlSpecialChars((string) input);`
`75`	`71`	`}`
`76`	`72`
`77`	`73`	`let result = "";`
`@@ -86,11 +82,11 @@ class Escaper implements EscaperInterface`
`86`	`82`	`let value = implode(" ", value);`
`87`	`83`	`}`
`88`	`84`
`89`		`- let result .= this->phpHtmlSpecialChars(key);`
	`85`	`+ let result .= this->phpHtmlSpecialChars((string) key);`
`90`	`86`
`91`	`87`	`if (true !== value) {`
`92`	`88`	`let result .= "=\""`
`93`		`- . this->phpHtmlSpecialChars(value)`
	`89`	`+ . this->phpHtmlSpecialChars((string) value)`
`94`	`90`	`. "\"";`
`95`	`91`	`}`
`96`	`92`