diff options
-rw-r--r-- | it_html.class | 2 | ||||
-rwxr-xr-x | test/it_html.t | 2 |
2 files changed, 4 insertions, 0 deletions
diff --git a/it_html.class b/it_html.class index 58784cf..716e066 100644 --- a/it_html.class +++ b/it_html.class @@ -561,6 +561,8 @@ static function U(...$args) */ function js($args) { + $args = it::map(fn($v) => it::replace(['<!--' => '\\x3C!--', '<script' => '\\x3Cscript', '</script' => '\\x3C/script'], $v), $args); + if (($this->p['htmltype'][0] == 'x') && $args[0] && ((array)$args[0] === array_values((array)$args[0]))) { array_unshift($args, "<!--//--><![CDATA[//><!--\n"); diff --git a/test/it_html.t b/test/it_html.t index ae11ad1..e6477da 100755 --- a/test/it_html.t +++ b/test/it_html.t @@ -288,3 +288,5 @@ is(it_html::entity_decode("’"), "'", "it_html::entity_decode numeric decim is(it_html::entity_decode("࿿"), " ", "it_html::entity_decode invalid numeric hex entity"); is(it_html::entity_decode("ϧ"), " ", "it_html::entity_decode invalid numeric decimal entity"); is(it_html::entity_decode("‹"), " ", "it_html::entity_decode entity von 0x80-0x9f"); + +is(js('<SCriPT> </script> </SCriPT> <!--'), "<script type=\"text/javascript\">\\x3Cscript> \\x3C/script> \\x3C/script> \\x3C!--</script>\n", "escape dangerous js content"); |