Allow using [] in the relaxed escaping as well

mpdude · mpdude · commit 11d9a173ffc2 · 2026-01-20T11:17:34.000+01:00
diff --git a/doc/filters/escape.rst b/doc/filters/escape.rst
@@ -57,11 +57,11 @@ documents:
   also when used as the value of an HTML attribute **without quotes**
   (e.g. ``data-attribute={{ some_value }}``).
 
-* ``html_attr_relaxed``: like ``html_attr``, but **does not** escape ``@`` and ``:``
-  characters. You may want to use this in combination with front-end frameworks that
-  use attribute names like ``v-bind:href`` or ``@click``. But, be aware that in some
-  processing contexts like XML, characters like the colon ``:`` may have meaning like
-  for XML namespace separation.
+* ``html_attr_relaxed``: like ``html_attr``, but **does not** escape the ``@``, ``:``,
+  ``[`` and ``]`` characters. You may want to use this in combination with front-end
+  frameworks that use attribute names like ``v-bind:href`` or ``@click``. But, be
+  aware that in some processing contexts like XML, characters like the colon ``:``
+  may have meaning like for XML namespace separation.
 
 Note that doing contextual escaping in HTML documents is hard and choosing the
 right escaping strategy depends on a lot of factors. Please, read related
diff --git a/src/Runtime/EscaperRuntime.php b/src/Runtime/EscaperRuntime.php
@@ -267,7 +267,7 @@ public function escape($string, string $strategy = 'html', ?string $charset = nu
 
                 $regex = match ($strategy) {
                     'html_attr' => '#[^a-zA-Z0-9,\.\-_]#Su',
-                    'html_attr_relaxed' => '#[^a-zA-Z0-9,\._:@]#Su',
+                    'html_attr_relaxed' => '#[^a-zA-Z0-9,\._:@\[\]]#Su',
                 };
 
                 $string = preg_replace_callback($regex, function ($matches) {
diff --git a/tests/Runtime/EscaperRuntimeTest.php b/tests/Runtime/EscaperRuntimeTest.php
@@ -339,7 +339,7 @@ public function testHtmlAttributeEscapingEscapesOwaspRecommendedRanges()
 
     public function testHtmlAttributeRelaxedEscapingEscapesOwaspRecommendedRanges()
     {
-        $immune = [',', '.', '-', '_', ':', '@']; // Exceptions to escaping ranges
+        $immune = [',', '.', '-', '_', ':', '@', '[', ']']; // Exceptions to escaping ranges
         for ($chr = 0; $chr < 0xFF; ++$chr) {
             if ($chr >= 0x30 && $chr <= 0x39
             || $chr >= 0x41 && $chr <= 0x5A

Original file line number	Diff line number	Diff line change
`@@ -339,7 +339,7 @@ public function testHtmlAttributeEscapingEscapesOwaspRecommendedRanges()`
`339`	`339`
`340`	`340`	`public function testHtmlAttributeRelaxedEscapingEscapesOwaspRecommendedRanges()`
`341`	`341`	`{`
`342`		`- $immune = [',', '.', '-', '_', ':', '@']; // Exceptions to escaping ranges`
	`342`	`+ $immune = [',', '.', '-', '_', ':', '@', '[', ']']; // Exceptions to escaping ranges`
`343`	`343`	`for ($chr = 0; $chr < 0xFF; ++$chr) {`
`344`	`344`	`if ($chr >= 0x30 && $chr <= 0x39`
`345`	`345`	`\|\| $chr >= 0x41 && $chr <= 0x5A`