search

smarty-php / smarty

Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic.
Other
2.23k stars 703 forks source link

Fix incorrect code when escape_html=true #930

Closed wxiaoguang closed 6 months ago

wxiaoguang commented 6 months ago

Fix #928

When setting escape_html=true, the following code:

{$foo+$bar}

becomes:

<?php echo htmlspecialchars((string) $_smarty_tpl->tpl_vars['foo']->value+$_smarty_tpl->tpl_vars['bar']->value, ENT_QUOTES, 'UTF-8');?>

The code: (string) $a + $b is not correct, it should be (string) ($a + $b).

wxiaoguang commented 6 months ago

Hi @wisskid, is there any interest in this fix? 4.x also needs this fix IMO.

wisskid commented 6 months ago

I think so. Can you clarify the actual error this causes?

wxiaoguang commented 6 months ago

The function: htmlspecialchars(string $string, ....), the first argument's type is string (PHP is more and more strict about typing)

But {$foo+$bar} would result in non-string type:

$ php -r 'echo gettype( (string)1+2 );'
integer%

So, it needs to use htmlspecialchars((string) ({$output}), to make sure the type is string:

$ php -r 'echo gettype( (string)(1+2) );'
string%