Skip to content

Commit

Permalink
escape lang directive echos
Browse files Browse the repository at this point in the history
  • Loading branch information
taylorotwell committed Sep 2, 2018
1 parent 45daf1e commit d3c0a36
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 8 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ protected function compileLang($expression)
return "<?php \$__env->startTranslation{$expression}; ?>";
}

return "<?php echo app('translator')->getFromJson{$expression}; ?>";
return "<?php echo e(app('translator')->getFromJson{$expression}); ?>";
}

/**
Expand All @@ -28,7 +28,7 @@ protected function compileLang($expression)
*/
protected function compileEndlang()
{
return '<?php echo $__env->renderTranslation(); ?>';
return '<?php echo e($__env->renderTranslation()); ?>';
}

/**
Expand All @@ -39,6 +39,6 @@ protected function compileEndlang()
*/
protected function compileChoice($expression)
{
return "<?php echo app('translator')->choice{$expression}; ?>";
return "<?php echo e(app('translator')->choice{$expression}); ?>";
}
}
4 changes: 2 additions & 2 deletions tests/View/Blade/BladeExpressionTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,13 @@ class BladeExpressionTest extends AbstractBladeTestCase
{
public function testExpressionsOnTheSameLine()
{
$this->assertEquals('<?php echo app(\'translator\')->getFromJson(foo(bar(baz(qux(breeze()))))); ?> space () <?php echo app(\'translator\')->getFromJson(foo(bar)); ?>', $this->compiler->compileString('@lang(foo(bar(baz(qux(breeze()))))) space () @lang(foo(bar))'));
$this->assertEquals('<?php echo e(app(\'translator\')->getFromJson(foo(bar(baz(qux(breeze())))))); ?> space () <?php echo e(app(\'translator\')->getFromJson(foo(bar))); ?>', $this->compiler->compileString('@lang(foo(bar(baz(qux(breeze()))))) space () @lang(foo(bar))'));
}

public function testExpressionWithinHTML()
{
$this->assertEquals('<html <?php echo e($foo); ?>>', $this->compiler->compileString('<html {{ $foo }}>'));
$this->assertEquals('<html<?php echo e($foo); ?>>', $this->compiler->compileString('<html{{ $foo }}>'));
$this->assertEquals('<html <?php echo e($foo); ?> <?php echo app(\'translator\')->getFromJson(\'foo\'); ?>>', $this->compiler->compileString('<html {{ $foo }} @lang(\'foo\')>'));
$this->assertEquals('<html <?php echo e($foo); ?> <?php echo e(app(\'translator\')->getFromJson(\'foo\')); ?>>', $this->compiler->compileString('<html {{ $foo }} @lang(\'foo\')>'));
}
}
6 changes: 3 additions & 3 deletions tests/View/Blade/BladeLangTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,13 @@ class BladeLangTest extends AbstractBladeTestCase
public function testStatementThatContainsNonConsecutiveParenthesisAreCompiled()
{
$string = "Foo @lang(function_call('foo(blah)')) bar";
$expected = "Foo <?php echo app('translator')->getFromJson(function_call('foo(blah)')); ?> bar";
$expected = "Foo <?php echo e(app('translator')->getFromJson(function_call('foo(blah)'))); ?> bar";
$this->assertEquals($expected, $this->compiler->compileString($string));
}

public function testLanguageAndChoicesAreCompiled()
{
$this->assertEquals('<?php echo app(\'translator\')->getFromJson(\'foo\'); ?>', $this->compiler->compileString("@lang('foo')"));
$this->assertEquals('<?php echo app(\'translator\')->choice(\'foo\', 1); ?>', $this->compiler->compileString("@choice('foo', 1)"));
$this->assertEquals('<?php echo e(app(\'translator\')->getFromJson(\'foo\')); ?>', $this->compiler->compileString("@lang('foo')"));
$this->assertEquals('<?php echo e(app(\'translator\')->choice(\'foo\', 1)); ?>', $this->compiler->compileString("@choice('foo', 1)"));
}
}

8 comments on commit d3c0a36

@bonzai
Copy link
Contributor

@bonzai bonzai commented on d3c0a36 Sep 2, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a breaking change:

zrzut ekranu 2018-09-02 14 09 20

@simonschaufi
Copy link

@simonschaufi simonschaufi commented on d3c0a36 Sep 4, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If anyone else stumbles over this, see: #25408

@zanozik
Copy link
Contributor

@zanozik zanozik commented on d3c0a36 Sep 5, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extremely braking change. How come this was included in a minor update???

@markovic-nikola
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No notification before pushing this change or notice in the documentation, and now several production apps are breaking, not cool...

@GrahamCampbell
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a security fix.

@markovic-nikola
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @GrahamCampbell,
I already know that, no one has the problem with the security fix itself, check the other issues/complaints. The way it was delivered silently is the bad part.

@simonschaufi
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GrahamCampbell is there any announcement about this security issue?

@xevsy
Copy link

@xevsy xevsy commented on d3c0a36 Sep 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My tests fails on this version on registration controller

Welcome, register to access TestCompany&#39's Application tracking system

instead of

Welcome, register to access TestCompany's Application tracking system

Please sign in to comment.