Skip to content

Commit

Permalink
fix: html encode backslashes if used with escape filter or autoescape
Browse files Browse the repository at this point in the history
Backslashes should be html encoded when present in expressions that are
passed to the escape filter (including when this happens automatically
with autoescape)
  • Loading branch information
fdintino committed Apr 12, 2023
1 parent fd50090 commit 5ea30b5
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 5 deletions.
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,13 @@
Changelog
=========

3.2.4 (unreleased)
------------------

* HTML encode backslashes when expressions are passed through the escape
filter (including when this is done automatically with autoescape). Merge
of [#1427](https://github.com/mozilla/nunjucks/pull/1427).

3.2.3 (Feb 15 2021)
-------------------

Expand Down
5 changes: 3 additions & 2 deletions nunjucks/src/lib.js
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,11 @@ var escapeMap = {
'"': '"',
'\'': ''',
'<': '&lt;',
'>': '&gt;'
'>': '&gt;',
'\\': '&#92;',
};

var escapeRegex = /[&"'<>]/g;
var escapeRegex = /[&"'<>\\]/g;

var exports = module.exports = {};

Expand Down
12 changes: 11 additions & 1 deletion tests/compiler.js
Original file line number Diff line number Diff line change
Expand Up @@ -1976,6 +1976,16 @@
finish(done);
});

it('should autoescape backslashes', function(done) {
equal(
'{{ foo }}',
{ foo: 'foo \\\' bar' },
{ autoescape: true },
'foo &#92;&#39; bar');

finish(done);
});

it('should not autoescape when extension set false', function(done) {
function TestExtension() {
// jshint validthis: true
Expand Down Expand Up @@ -2031,7 +2041,7 @@
});

it('should render regexs', function(done) {
equal('{{ r/name [0-9] \\// }}',
equal('{{ r/name [0-9] \\// }}', {}, { autoescape: false },
'/name [0-9] \\//');

equal('{{ r/x/gi }}',
Expand Down
4 changes: 2 additions & 2 deletions tests/filters.js
Original file line number Diff line number Diff line change
Expand Up @@ -108,9 +108,9 @@

it('escape', function() {
equal(
'{{ "<html>" | escape }}', {},
'{{ "<html>\\\\" | escape }}', {},
{ autoescape: false },
'&lt;html&gt;');
'&lt;html&gt;&#92;');
});

it('escape skip safe', function() {
Expand Down

0 comments on commit 5ea30b5

Please sign in to comment.