Always emit single quotes as &#039;

thekid · thekid · commit a44190b606c5 · 2021-05-02T10:53:42.000+02:00
See php/php-src#6583
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -3,6 +3,13 @@ Mustache for XP Framework ChangeLog
 
 ## ?.?.? / ????-??-??
 
+## 7.0.0 / 2021-05-02
+
+* Changed single quotes to be emitted as `&#039;` for all PHP versions.
+  This breaks backwards compatiblity but ensure there are no security
+  risks with expressions such as `<a href='{{url}}'>...</a>`.
+  (@thekid)
+
 ## 6.1.2 / 2021-05-02
 
 * Fixed single quotes being output as `&#039;` in PHP 8.1, which changed
diff --git a/src/main/php/com/github/mustache/IteratorNode.class.php b/src/main/php/com/github/mustache/IteratorNode.class.php
@@ -48,7 +48,7 @@ public function write($context, $out) {
     } else {
       $v= $value;
     }
-    $out->write($this->escape ? htmlspecialchars($v, ENT_COMPAT) : $v);
+    $out->write($this->escape ? htmlspecialchars($v, ENT_QUOTES | ENT_SUBSTITUTE) : $v);
   }
 
   /**
diff --git a/src/main/php/com/github/mustache/VariableNode.class.php b/src/main/php/com/github/mustache/VariableNode.class.php
@@ -93,7 +93,7 @@ public function write($context, $out) {
     } else {
       $rendered= $context->asString($value);
     }
-    $out->write($this->escape ? htmlspecialchars($rendered, ENT_COMPAT) : $rendered);
+    $out->write($this->escape ? htmlspecialchars($rendered, ENT_QUOTES | ENT_SUBSTITUTE) : $rendered);
   }
 
   /**
diff --git a/src/test/php/com/github/mustache/unittest/RenderingTest.class.php b/src/test/php/com/github/mustache/unittest/RenderingTest.class.php
@@ -60,12 +60,12 @@ public function html_is_escaped() {
     );
   }
 
-  #[Test, Values(map: ['"' => '&quot;', '<' => '&lt;', '>' => '&gt;', '&' => '&amp;', "'" => "'"])]
+  #[Test, Values(map: ['"' => '&quot;', '<' => '&lt;', '>' => '&gt;', '&' => '&amp;', "'" => "&#039;"])]
   public function html_special_chars_for_variables($chars, $expected) {
     Assert::equals($expected, $this->render('{{input}}', ['input' => $chars]));
   }
 
-  #[Test, Values(map: ['"' => '&quot;', '<' => '&lt;', '>' => '&gt;', '&' => '&amp;', "'" => "'"])]
+  #[Test, Values(map: ['"' => '&quot;', '<' => '&lt;', '>' => '&gt;', '&' => '&amp;', "'" => "&#039;"])]
   public function html_special_chars_for_iterator($chars, $expected) {
     Assert::equals($expected, $this->render('{{#input}}{{.}}{{/input}}', ['input' => [$chars]]));
   }

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ public function write($context, $out) {`
`48`	`48`	`} else {`
`49`	`49`	`$v= $value;`
`50`	`50`	`}`
`51`		`- $out->write($this->escape ? htmlspecialchars($v, ENT_COMPAT) : $v);`
	`51`	`+ $out->write($this->escape ? htmlspecialchars($v, ENT_QUOTES \| ENT_SUBSTITUTE) : $v);`
`52`	`52`	`}`
`53`	`53`
`54`	`54`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ public function write($context, $out) {`
`93`	`93`	`} else {`
`94`	`94`	`$rendered= $context->asString($value);`
`95`	`95`	`}`
`96`		`- $out->write($this->escape ? htmlspecialchars($rendered, ENT_COMPAT) : $rendered);`
	`96`	`+ $out->write($this->escape ? htmlspecialchars($rendered, ENT_QUOTES \| ENT_SUBSTITUTE) : $rendered);`
`97`	`97`	`}`
`98`	`98`
`99`	`99`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -60,12 +60,12 @@ public function html_is_escaped() {`
`60`	`60`	`);`
`61`	`61`	`}`
`62`	`62`
`63`		`- #[Test, Values(map: ['"' => '"', '<' => '<', '>' => '>', '&' => '&', "'" => "'"])]`
	`63`	`+ #[Test, Values(map: ['"' => '"', '<' => '<', '>' => '>', '&' => '&', "'" => "'"])]`
`64`	`64`	`public function html_special_chars_for_variables($chars, $expected) {`
`65`	`65`	`Assert::equals($expected, $this->render('{{input}}', ['input' => $chars]));`
`66`	`66`	`}`
`67`	`67`
`68`		`- #[Test, Values(map: ['"' => '"', '<' => '<', '>' => '>', '&' => '&', "'" => "'"])]`
	`68`	`+ #[Test, Values(map: ['"' => '"', '<' => '<', '>' => '>', '&' => '&', "'" => "'"])]`
`69`	`69`	`public function html_special_chars_for_iterator($chars, $expected) {`
`70`	`70`	`Assert::equals($expected, $this->render('{{#input}}{{.}}{{/input}}', ['input' => [$chars]]));`
`71`	`71`	`}`