From 89f216eb069865f5df7c907037ed9d026091bfb5 Mon Sep 17 00:00:00 2001
From: Robert Kolmos <robertk3@uw.edu>
Date: Mon, 6 May 2024 02:46:32 -0700
Subject: [PATCH] fix: escape constant attribute Go strings (#725)

Co-authored-by: Robert Kolmos <robertkolmos@gmail.com>
---
 generator/generator.go                        |  3 +-
 .../expected.html                             | 17 ++++++++++
 .../render_test.go                            | 23 +++++++++++++
 .../template.templ                            | 21 ++++++++++++
 .../template_templ.go                         | 34 +++++++++++++++++++
 5 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 generator/test-constant-attribute-escaping/expected.html
 create mode 100644 generator/test-constant-attribute-escaping/render_test.go
 create mode 100644 generator/test-constant-attribute-escaping/template.templ
 create mode 100644 generator/test-constant-attribute-escaping/template_templ.go

diff --git a/generator/generator.go b/generator/generator.go
index 139a8fe70..4b954973d 100644
--- a/generator/generator.go
+++ b/generator/generator.go
@@ -1082,7 +1082,8 @@ func (g *generator) writeBoolConstantAttribute(indentLevel int, attr parser.Bool
 func (g *generator) writeConstantAttribute(indentLevel int, attr parser.ConstantAttribute) (err error) {
 	name := html.EscapeString(attr.Name)
 	value := html.EscapeString(attr.Value)
-	value = strings.ReplaceAll(value, "\n", "\\n")
+	value = strconv.Quote(value)
+	value = value[1 : len(value)-1]
 	if _, err = g.w.WriteStringLiteral(indentLevel, fmt.Sprintf(` %s=\"%s\"`, name, value)); err != nil {
 		return err
 	}
diff --git a/generator/test-constant-attribute-escaping/expected.html b/generator/test-constant-attribute-escaping/expected.html
new file mode 100644
index 000000000..54d517187
--- /dev/null
+++ b/generator/test-constant-attribute-escaping/expected.html
@@ -0,0 +1,17 @@
+<div>
+    <!-- valid go escape sequences -->
+    <input pattern="\a"/>
+    <input pattern="\b"/>
+    <input pattern="\f"/>
+    <input pattern="\n"/>
+    <input pattern="\r"/>
+    <input pattern="\t"/>
+    <input pattern="\v"/>
+    <input pattern="\\"/>
+    <input pattern="\777"/>
+    <input pattern="\xFF"/>
+    <input pattern="\u00FF"/>
+    <input pattern="\u00FF\u00FF\u00FF"/>
+    <!-- invalid go escape sequences -->
+    <input pattern="\s"/>
+</div>
diff --git a/generator/test-constant-attribute-escaping/render_test.go b/generator/test-constant-attribute-escaping/render_test.go
new file mode 100644
index 000000000..2fb2a8017
--- /dev/null
+++ b/generator/test-constant-attribute-escaping/render_test.go
@@ -0,0 +1,23 @@
+package testconstantattributeescaping
+
+import (
+	_ "embed"
+	"testing"
+
+	"github.com/a-h/templ/generator/htmldiff"
+)
+
+//go:embed expected.html
+var expected string
+
+func Test(t *testing.T) {
+	component := BasicTemplate()
+
+	diff, err := htmldiff.Diff(component, expected)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if diff != "" {
+		t.Error(diff)
+	}
+}
diff --git a/generator/test-constant-attribute-escaping/template.templ b/generator/test-constant-attribute-escaping/template.templ
new file mode 100644
index 000000000..e1fc3515c
--- /dev/null
+++ b/generator/test-constant-attribute-escaping/template.templ
@@ -0,0 +1,21 @@
+package testconstantattributeescaping
+
+templ BasicTemplate() {
+	<div>
+		<!-- valid go escape sequences -->
+		<input pattern="\a"/>
+		<input pattern="\b"/>
+		<input pattern="\f"/>
+		<input pattern="\n"/>
+		<input pattern="\r"/>
+		<input pattern="\t"/>
+		<input pattern="\v"/>
+		<input pattern="\\"/>
+		<input pattern="\777"/>
+		<input pattern="\xFF"/>
+		<input pattern="\u00FF"/>
+		<input pattern="\u00FF\u00FF\u00FF"/>
+		<!-- invalid go escape sequences -->
+		<input pattern="\s"/>
+	</div>
+}
diff --git a/generator/test-constant-attribute-escaping/template_templ.go b/generator/test-constant-attribute-escaping/template_templ.go
new file mode 100644
index 000000000..34cfb3678
--- /dev/null
+++ b/generator/test-constant-attribute-escaping/template_templ.go
@@ -0,0 +1,34 @@
+// Code generated by templ - DO NOT EDIT.
+
+package testconstantattributeescaping
+
+//lint:file-ignore SA4006 This context is only used if a nested component is present.
+
+import "github.com/a-h/templ"
+import "context"
+import "io"
+import "bytes"
+
+func BasicTemplate() templ.Component {
+	return templ.ComponentFunc(func(ctx context.Context, templ_7745c5c3_W io.Writer) (templ_7745c5c3_Err error) {
+		templ_7745c5c3_Buffer, templ_7745c5c3_IsBuffer := templ_7745c5c3_W.(*bytes.Buffer)
+		if !templ_7745c5c3_IsBuffer {
+			templ_7745c5c3_Buffer = templ.GetBuffer()
+			defer templ.ReleaseBuffer(templ_7745c5c3_Buffer)
+		}
+		ctx = templ.InitializeContext(ctx)
+		templ_7745c5c3_Var1 := templ.GetChildren(ctx)
+		if templ_7745c5c3_Var1 == nil {
+			templ_7745c5c3_Var1 = templ.NopComponent
+		}
+		ctx = templ.ClearChildren(ctx)
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString("<div><!-- valid go escape sequences --><input pattern=\"\\a\"> <input pattern=\"\\b\"> <input pattern=\"\\f\"> <input pattern=\"\\n\"> <input pattern=\"\\r\"> <input pattern=\"\\t\"> <input pattern=\"\\v\"> <input pattern=\"\\\\\"> <input pattern=\"\\777\"> <input pattern=\"\\xFF\"> <input pattern=\"\\u00FF\"> <input pattern=\"\\u00FF\\u00FF\\u00FF\"><!-- invalid go escape sequences --><input pattern=\"\\s\"></div>")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		if !templ_7745c5c3_IsBuffer {
+			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteTo(templ_7745c5c3_W)
+		}
+		return templ_7745c5c3_Err
+	})
+}