Merge pull request #258 from StefanPrintezis/htmlentities_encoding

Values are now encoded consistently by the formbuilder and the htmlbuilder
LaravelCollective · Dec 13, 2016 · 2f7f2e1 · 2f7f2e1
2 parents 961ce14 + f153be5
commit 2f7f2e1
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 8 deletions.
diff --git a/src/FormBuilder.php b/src/FormBuilder.php
@@ -485,7 +485,7 @@ public function textarea($name, $value = null, $options = [])
         // the element. Then we'll create the final textarea elements HTML for us.
         $options = $this->html->attributes($options);
 
-        return $this->toHtmlString('<textarea' . $options . '>' . e($value) . '</textarea>');
+        return $this->toHtmlString('<textarea' . $options . '>' . $this->html->escapeAll($value). '</textarea>');
     }
 
     /**
@@ -662,7 +662,7 @@ protected function optionGroup($list, $label, $selected)
             $html[] = $this->option($display, $value, $selected);
         }
 
-        return $this->toHtmlString('<optgroup label="' . e($label) . '">' . implode('', $html) . '</optgroup>');
+        return $this->toHtmlString('<optgroup label="' . $this->html->escapeAll($label) . '">' . implode('', $html) . '</optgroup>');
     }
 
     /**
@@ -680,7 +680,7 @@ protected function option($display, $value, $selected)
 
         $options = ['value' => $value, 'selected' => $selected];
 
-        return $this->toHtmlString('<option' . $this->html->attributes($options) . '>' . e($display) . '</option>');
+        return $this->toHtmlString('<option' . $this->html->attributes($options) . '>' . $this->html->escapeAll($display) . '</option>');
     }
 
     /**
@@ -698,7 +698,7 @@ protected function placeholderOption($display, $selected)
         $options = compact('selected');
         $options['value'] = '';
 
-        return $this->toHtmlString('<option' . $this->html->attributes($options) . '>' . e($display) . '</option>');
+        return $this->toHtmlString('<option' . $this->html->attributes($options) . '>' . $this->html->escapeAll($display) . '</option>');
     }
 
     /**

diff --git a/src/HtmlBuilder.php b/src/HtmlBuilder.php
@@ -53,6 +53,18 @@ public function entities($value)
         return htmlentities($value, ENT_QUOTES, 'UTF-8', false);
     }
 
+    /**
+     * Convert all applicable characters to HTML entities.
+     *
+     * @param string $value
+     *
+     * @return string
+     */
+    public function escapeAll($value)
+    {
+        return htmlentities($value, ENT_QUOTES, 'UTF-8');
+    }
+
     /**
      * Convert entities to HTML characters.
      *
@@ -288,7 +300,7 @@ public function nbsp($num = 1)
     {
         return str_repeat('&nbsp;', $num);
     }
-    
+
     /**
      * Generate an ordered list of items.
      *
@@ -387,7 +399,7 @@ protected function listingElement($key, $type, $value)
         if (is_array($value)) {
             return $this->nestedListing($key, $type, $value);
         } else {
-            return '<li>' . e($value) . '</li>';
+            return '<li>' . $this->escapeAll($value) . '</li>';
         }
     }
 
@@ -449,7 +461,7 @@ protected function attributeElement($key, $value)
         }
 
         if (! is_null($value)) {
-            return $key . '="' . e($value) . '"';
+            return $key . '="' . $this->escapeAll($value) . '"';
         }
     }
 

diff --git a/tests/FormBuilderTest.php b/tests/FormBuilderTest.php
@@ -239,11 +239,13 @@ public function testFormTextarea()
         $form2 = $this->formBuilder->textarea('foo', 'foobar');
         $form3 = $this->formBuilder->textarea('foo', null, ['class' => 'span2']);
         $form4 = $this->formBuilder->textarea('foo', null, ['size' => '60x15']);
+        $form5 = $this->formBuilder->textarea('encoded_html', '&amp;');
 
         $this->assertEquals('<textarea name="foo" cols="50" rows="10"></textarea>', $form1);
         $this->assertEquals('<textarea name="foo" cols="50" rows="10">foobar</textarea>', $form2);
         $this->assertEquals('<textarea class="span2" name="foo" cols="50" rows="10"></textarea>', $form3);
         $this->assertEquals('<textarea name="foo" cols="60" rows="15"></textarea>', $form4);
+        $this->assertEquals('<textarea name="encoded_html" cols="50" rows="10">&amp;amp;</textarea>', $form5);
     }
 
     public function testSelect()
@@ -301,6 +303,17 @@ public function testSelect()
             $select,
             '<select class="class-name" id="select-id" name="size"><optgroup label="Large sizes"><option value="L">Large</option><option value="XL">Extra Large</option></optgroup><option value="S">Small</option></select>'
         );
+
+        $select = $this->formBuilder->select(
+            'encoded_html',
+            ['no_break_space' => '&nbsp;', 'ampersand' => '&amp;', 'lower_than' => '&lt;'],
+            null
+        );
+
+        $this->assertEquals(
+            $select,
+            '<select name="encoded_html"><option value="no_break_space">&amp;nbsp;</option><option value="ampersand">&amp;amp;</option><option value="lower_than">&amp;lt;</option></select>'
+        );
     }
 
     public function testFormSelectRepopulation()
@@ -344,6 +357,16 @@ public function testFormWithOptionalPlaceholder()
         );
         $this->assertEquals($select,
           '<select name="size"><option value="">Select One...</option><option value="L" selected="selected">Large</option><option value="S">Small</option></select>');
+
+        $select = $this->formBuilder->select(
+            'encoded_html',
+            ['no_break_space' => '&nbsp;', 'ampersand' => '&amp;', 'lower_than' => '&lt;'],
+            null,
+            ['placeholder' => 'Select the &nbsp;']
+        );
+        $this->assertEquals($select,
+            '<select name="encoded_html"><option selected="selected" value="">Select the &amp;nbsp;</option><option value="no_break_space">&amp;nbsp;</option><option value="ampersand">&amp;amp;</option><option value="lower_than">&amp;lt;</option></select>'
+        );
     }
 
     public function testFormSelectYear()

diff --git a/tests/HtmlBuilderTest.php b/tests/HtmlBuilderTest.php
@@ -39,6 +39,28 @@ public function testDl()
         $this->assertEquals('<dl class="example"><dt>foo</dt><dd>bar</dd><dt>bing</dt><dd>baz</dd></dl>', $result);
     }
 
+    public function testOl()
+    {
+        $list = ['foo', 'bar', '&amp;'];
+
+        $attributes = ['class' => 'example'];
+
+        $ol = $this->htmlBuilder->ol($list, $attributes);
+
+        $this->assertEquals('<ol class="example"><li>foo</li><li>bar</li><li>&amp;amp;</li></ol>', $ol);
+    }
+
+    public function testUl()
+    {
+        $list = ['foo', 'bar', '&amp;'];
+
+        $attributes = ['class' => 'example'];
+
+        $ul = $this->htmlBuilder->ul($list, $attributes);
+
+        $this->assertEquals('<ul class="example"><li>foo</li><li>bar</li><li>&amp;amp;</li></ul>', $ul);
+    }
+
     public function testMeta()
     {
         $result = $this->htmlBuilder->meta('description', 'Lorem ipsum dolor sit amet.');
@@ -58,7 +80,7 @@ public function testTag()
             $this->htmlBuilder->image('http://example.com/image1'),
             $this->htmlBuilder->image('http://example.com/image2'),
         ];
-        
+
         $result4 = $this->htmlBuilder->tag('div', $content, ['class' => 'row']);
 
         $this->assertEquals('<p>' . PHP_EOL . 'Lorem ipsum dolor sit amet.' . PHP_EOL . '</p>' . PHP_EOL, $result1);