Fix #13

HTML id attributes are a special case.

Author: soatok

src/Core/StapleTrait.php

@@ -63,7 +63,7 @@ public function flattenAttributes(): string
         $pieces = $this->renderAttributes();
 
         if (!empty($this->id)) {
-            $pieces['id'] = Utilities::escapeAttribute($this->id);
+            $pieces['id'] = $this->id;
         }
 
         if (!empty($this->classes)) {
@@ -91,7 +91,11 @@ public function flattenAttributes(): string
         }
         $return = '';
         foreach ($pieces as $attr => $value) {
-            $return .= "{$attr}=\"" . Utilities::escapeAttribute((string) $value) . "\" ";
+            if ($attr === 'id') {
+                $return .= "{$attr}=\"" . Utilities::escapeIDAttribute((string)$value) . "\" ";
+            } else {
+                $return .= "{$attr}=\"" . Utilities::escapeAttribute((string)$value) . "\" ";
+            }
         }
         return ' ' . trim($return);
     }

src/Core/Utilities.php

@@ -58,6 +58,11 @@ public static function escapeAttribute(string $input): string
         return htmlentities($input, ENT_HTML5 | ENT_QUOTES, 'utf-8');
     }
 
+    public static function escapeIDAttribute(string $id): string
+    {
+        return preg_replace('/[^A-Za-z0-9-_]/', '', $id);
+    }
+
     /**
      * @param array $classes
      * @return string

tests/FormTest.php

@@ -37,6 +37,17 @@ public function testEmpty()
             $form . ''
         );
     }
+
+    public function testIdWithUnderline()
+    {
+        $form = (new Form())->disableAntiCSRF();
+        $form->setId('group_order');
+        $this->assertSame(
+            '<form id="group_order" method="GET" action=""></form>',
+            $form . ''
+        );
+    }
+
     public function testEmptyWithoutDisablingCsrfProtection()
     {
         /** @var array<string, string> $storage */