Merge pull request #33 from studiometa/bugfix/attribute-escape

[Bugfix] Fix attribute escaping strategy
studiometa · Jan 27, 2025 · 8966ac3 · 8966ac3
2 parents d3a894f + 8b0b713
commit 8966ac3
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 12 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ## [Unreleased]
 
+### Changed
+
+- Prefer the `html` escape mode to the `html_attr` ([#33](https://github.com/studiometa/twig-toolkit/pull/33), [c093446](https://github.com/studiometa/twig-toolkit/commit/c093446))
+
 ## v2.0.0 (2025-01-20)
 
 ### Changed

diff --git a/src/Helpers/Html.php b/src/Helpers/Html.php
@@ -210,21 +210,13 @@ public static function renderAttributes(Environment $env, array $attributes):str
             }
 
             /** @var null|false|string */
-            $value = $env->getRuntime(EscaperRuntime::class)->escape($value, 'html_attr', $env->getCharset());
+            $value = $env->getRuntime(EscaperRuntime::class)->escape($value, 'html', $env->getCharset());
 
             // Do not add null & false attributes
             if (is_null($value) || $value === false) {
                 continue;
             }
 
-            // Escape value and replace some escaped characters to improve
-            // readability for the generated HTML.
-            $value = str_replace(
-                ['&#x20;', '&#x3A;', '&#x3B;', '&#x2F;'],
-                [' ', ':', ';', '/'],
-                $value
-            );
-
             $renderedAttributes[] = sprintf('%s="%s"', $key, $value);
         }
 

diff --git a/...t__The_____html__element_____Twig_tag_should_be_able_to_render_complex_attributes___1.txt b/...t__The_____html__element_____Twig_tag_should_be_able_to_render_complex_attributes___1.txt
@@ -1,3 +1,3 @@
-<div aria-hidden="true" data-options="&#x7B;&quot;log&quot;:true&#x7D;">
+<div aria-hidden="true" data-options="{&quot;log&quot;:true}">
     Hello world
 </div>
diff --git a/...t__The_____html__attributes_______Twig_function_should_not_render_empty_attributes__1.txt b/...t__The_____html__attributes_______Twig_function_should_not_render_empty_attributes__1.txt
@@ -1 +1 @@
- empty-string="" truthy empty-array="&#x5B;&#x5D;"
+ empty-string="" truthy empty-array="[]"
diff --git a/.../HtmlTest__The_____html__attributes_______Twig_function_should_prevent_XSS_attacks__1.txt b/.../HtmlTest__The_____html__attributes_______Twig_function_should_prevent_XSS_attacks__1.txt
@@ -1 +1 @@
- class="&quot; onclick&#x3D;&quot;alert&#x28;true&#x29;"
+ class="&quot; onclick=&quot;alert(true)"
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		empty-string="" truthy empty-array="[]"
		empty-string="" truthy empty-array="[]"
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		class="" onclick="alert(true)"
		class="" onclick="alert(true)"