diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

merged branch Tobion/fragment-render-escaping (PR #7090)

Browse Source 
This PR was merged into the 2.2 branch.

Commits
-------

54d7d25 [HttpKernel] hinclude fragment renderer must escape URIs properly to return valid html

Discussion
----------

[HttpKernel] hinclude fragment renderer must escape URIs properly to return valid html

| Q             | A
| ------------- | ---
| Bug fix?      | [yes]
| New feature?  | [no]
| BC breaks?    | [no]
| Deprecations? | [no]
| Tests pass?   | [yes]
| Fixed tickets | [-]
| License       | MIT
| Doc PR        | [-]

Since rendering of hinclude fragments returns html/xml, it is marked as safe. So it's not auto-escaped of course. But that means it must properly escape it's input (the URI) when outputting in html context.
Btw, this does not need to be done for esi because esi tags are processed in middleware which do not go to the client/browser.

---------------------------------------------------------------------------

by Koc at 2013-02-15T22:59:05Z

Will it works correct when `arg_separator.output="&"`?

---------------------------------------------------------------------------

by stof at 2013-02-15T23:04:01Z

if your url comes form the routing, yes. It [does not rely on the default separator](https://github.com/symfony/Routing/blob/master/Generator/UrlGenerator.php#L265) to avoid issues when the separator is configured to ``&`` as it would have been escaped again in Twig templates for instance.

---------------------------------------------------------------------------

by fabpot at 2013-02-16T07:26:19Z

Can you include the proper PR header in the description? Thanks.

---------------------------------------------------------------------------

by Tobion at 2013-02-16T12:28:18Z

Added.
This commit is contained in:
Fabien Potencier 2013-02-20 23:12:30 +01:00
commit 2705791d6d
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/Symfony/Component/HttpKernel/Fragment/HIncludeFragmentRenderer.php
View File

@ -83,6 +83,9 @@ class HIncludeFragmentRenderer extends RoutableFragmentRenderer
$uri = $this->signer->sign($this->generateFragmentUri($uri, $request));
}
// We need to replace ampersands in the URI with the encoded form in order to return valid html/xml content.
$uri = str_replace('&', '&', $uri);
$template = isset($options['default']) ? $options['default'] : $this->globalDefaultTemplate;
if (null !== $this->templating && $template && $this->templateExists($template)) {
$content = $this->templating->render($template);

2
src/Symfony/Component/HttpKernel/Tests/Fragment/HIncludeFragmentRendererTest.php
View File

@ -38,7 +38,7 @@ class HIncludeFragmentRendererTest extends \PHPUnit_Framework_TestCase
{
$strategy = new HIncludeFragmentRenderer(null, new UriSigner('foo'));
$this->assertEquals('<hx:include src="http://localhost/_fragment?_path=_format%3Dhtml%26_controller%3Dmain_controller&_hash=VI25qJj8J0qveB3bGKPhsJtexKg%3D"></hx:include>', $strategy->render(new ControllerReference('main_controller', array(), array()), Request::create('/'))->getContent());
$this->assertEquals('<hx:include src="http://localhost/_fragment?_path=_format%3Dhtml%26_controller%3Dmain_controller&amp;_hash=VI25qJj8J0qveB3bGKPhsJtexKg%3D"></hx:include>', $strategy->render(new ControllerReference('main_controller', array(), array()), Request::create('/'))->getContent());
}
public function testRenderWithUri()