Improve PHP in antlers meta handling (#379)

* Add test coverage for people trying to get extra clever.

* Implement improvements to pass failing tests.

* Do simple string checks to early for performance/etc, because why not.

Author: jesseleite

src/Cascade.php

@@ -2,14 +2,17 @@
 
 namespace Statamic\SeoPro;
 
+use Exception;
 use Illuminate\Support\Collection;
+use Statamic\Facades\Antlers;
 use Statamic\Facades\Blink;
 use Statamic\Facades\Config;
 use Statamic\Facades\Entry;
-use Statamic\Facades\Parse;
 use Statamic\Facades\Site;
 use Statamic\Facades\URL;
+use Statamic\Fields\Field;
 use Statamic\Fields\Value;
+use Statamic\Fieldtypes\Text;
 use Statamic\Support\Arr;
 use Statamic\Support\Str;
 use Statamic\View\Cascade as ViewCascade;
@@ -381,13 +384,29 @@ protected function parseImageField($value)
 
     protected function parseAntlers($item)
     {
-        if (Str::contains($item, ['{{?', '{{$'])) {
+        // Simplistically prevent php in antlers.
+        if (Str::contains($item, ['{{?', '{{$', '@{'])) {
             return $item;
         }
 
-        $viewCascade = app(ViewCascade::class)->toArray();
+        // Also, the parser has extra runtime protections around `Value` objects
+        // when `antlers: true` is set on a blueprint field. While this may be
+        // improved in future, we'll give custom seo fields same treatment.
+        try {
+            $textFieldType = new Text;
+            $textFieldType->setField(new Field('___tmpValue', ['antlers' => true]));
+            $value = new Value($item, '___tmpValue', $textFieldType);
 
-        return (string) Parse::template($item, array_merge($viewCascade, $this->current));
+            $viewCascade = array_merge(
+                app(ViewCascade::class)->toArray(),
+                $this->current,
+                ['___tmpValue' => $value],
+            );
+
+            return (string) Antlers::parse('{{ ___tmpValue }}', $viewCascade);
+        } catch (Exception $exception) {
+            return $item;
+        }
     }
 
     protected function humans()

tests/CascadeTest.php

@@ -10,7 +10,7 @@
 
 class CascadeTest extends TestCase
 {
-    public function tearDown(): void
+    protected function tearDown(): void
     {
         if ($this->files->exists($path = base_path('custom_seo.yaml'))) {
             $this->files->delete($path);
@@ -126,6 +126,49 @@ public function it_parses_antlers()
         $this->assertEquals('RED', $data['description']);
     }
 
+    public static function phpInAntlersProvider()
+    {
+        return [
+            [
+                '{{? echo "php used" ?}}',
+                '{{? echo "php used" ?}}',
+            ],
+            [
+                '{{$ "php used" $}}',
+                '{{$ "php used" $}}',
+            ],
+            [
+                "{{ _php_used = '@{@{' + '? echo \"php used\" ?' + '@}}'; _php_used | antlers /}}",
+                "{{ _php_used = '@{@{' + '? echo \"php used\" ?' + '@}}'; _php_used | antlers /}}",
+            ],
+            [
+                "{{ _php_used = (['' => ''] | json); _open = (_php_used | at(0)); _close = (_php_used | at(6)); _antlers_modified = _open + _open + '? echo \"php used\" ?' + _close + _close; _antlers_modified | antlers /}}",
+                '{{? echo "php used" ?}}',
+            ],
+        ];
+    }
+
+    /**
+     * @test
+     *
+     * @dataProvider phpInAntlersProvider
+     */
+    public function it_doesnt_parse_php_in_antlers($antlers, $output)
+    {
+        $entry = Entry::findByUri('/about')->entry();
+
+        $data = (new Cascade)
+            ->with(SiteDefaults::load()->all())
+            ->with([
+                'description' => $antlers,
+            ])
+            ->withCurrent($entry)
+            ->get();
+
+        $this->assertNotEquals('hello', $data['description']);
+        $this->assertEquals($output, $data['description']);
+    }
+
     /** @test */
     public function it_parses_field_references()
     {