summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--it_html.class2
-rwxr-xr-xtest/it_html.t2
2 files changed, 4 insertions, 0 deletions
diff --git a/it_html.class b/it_html.class
index 58784cf..716e066 100644
--- a/it_html.class
+++ b/it_html.class
@@ -561,6 +561,8 @@ static function U(...$args)
*/
function js($args)
{
+ $args = it::map(fn($v) => it::replace(['<!--' => '\\x3C!--', '<script' => '\\x3Cscript', '</script' => '\\x3C/script'], $v), $args);
+
if (($this->p['htmltype'][0] == 'x') && $args[0] && ((array)$args[0] === array_values((array)$args[0])))
{
array_unshift($args, "<!--//--><![CDATA[//><!--\n");
diff --git a/test/it_html.t b/test/it_html.t
index ae11ad1..e6477da 100755
--- a/test/it_html.t
+++ b/test/it_html.t
@@ -288,3 +288,5 @@ is(it_html::entity_decode("&#8217;"), "'", "it_html::entity_decode numeric decim
is(it_html::entity_decode("&#xfff;"), " ", "it_html::entity_decode invalid numeric hex entity");
is(it_html::entity_decode("&#999;"), " ", "it_html::entity_decode invalid numeric decimal entity");
is(it_html::entity_decode("&#x8b;"), " ", "it_html::entity_decode entity von 0x80-0x9f");
+
+is(js('<SCriPT> </script> </SCriPT> <!--'), "<script type=\"text/javascript\">\\x3Cscript> \\x3C/script> \\x3C/script> \\x3C!--</script>\n", "escape dangerous js content");