diff options
| author | Urban Müller | 2023-09-25 16:31:54 +0200 |
|---|---|---|
| committer | Urban Müller | 2023-09-25 16:31:54 +0200 |
| commit | 888af9543cb9b632b0671284771ca6a82aed47dd (patch) | |
| tree | 32d7417cdb6cec3e5ee109021870fee1ff37c8e2 | |
| parent | d81ef38f6b66912b62a54f9263b9d15ead872b3d (diff) | |
| download | itools-888af9543cb9b632b0671284771ca6a82aed47dd.tar.gz itools-888af9543cb9b632b0671284771ca6a82aed47dd.tar.bz2 itools-888af9543cb9b632b0671284771ca6a82aed47dd.zip | |
escape dangerous strings inside javascript, including env =
| -rw-r--r-- | it_html.class | 2 | ||||
| -rwxr-xr-x | test/it_html.t | 2 |
2 files changed, 4 insertions, 0 deletions
diff --git a/it_html.class b/it_html.class index 58784cf..716e066 100644 --- a/it_html.class +++ b/it_html.class @@ -561,6 +561,8 @@ static function U(...$args) */ function js($args) { + $args = it::map(fn($v) => it::replace(['<!--' => '\\x3C!--', '<script' => '\\x3Cscript', '</script' => '\\x3C/script'], $v), $args); + if (($this->p['htmltype'][0] == 'x') && $args[0] && ((array)$args[0] === array_values((array)$args[0]))) { array_unshift($args, "<!--//--><![CDATA[//><!--\n"); diff --git a/test/it_html.t b/test/it_html.t index ae11ad1..e6477da 100755 --- a/test/it_html.t +++ b/test/it_html.t @@ -288,3 +288,5 @@ is(it_html::entity_decode("’"), "'", "it_html::entity_decode numeric decim is(it_html::entity_decode("࿿"), " ", "it_html::entity_decode invalid numeric hex entity"); is(it_html::entity_decode("ϧ"), " ", "it_html::entity_decode invalid numeric decimal entity"); is(it_html::entity_decode("‹"), " ", "it_html::entity_decode entity von 0x80-0x9f"); + +is(js('<SCriPT> </script> </SCriPT> <!--'), "<script type=\"text/javascript\">\\x3Cscript> \\x3C/script> \\x3C/script> \\x3C!--</script>\n", "escape dangerous js content"); |