diff --git a/README.md b/README.md index cb79a66..afacc90 100644 --- a/README.md +++ b/README.md @@ -34,12 +34,21 @@ echo 'Registered user: ' . $username; Use: ```php -echo 'Registered user: ' . \JakubBoucek\Escape\Escape::html($username); +use JakubBoucek\Escape\Escape; + +echo 'Registered user: ' . Escape::html($username); +``` + +You can use shortcut by aliasing too: +```php +use JakubBoucek\Escape\Escape as E; + +echo 'Registered user: ' . E::html($username); ``` ## CSS specifics -In few cases you cannot use `\JakubBoucek\Escape\Escape::css($cssColor)` to escape +In few cases you cannot use `Escape::css($cssColor)` to escape some known format, because standard escaping is broke CSS format. Class `EscapeCss` has prepared limited set of known propetries with specefics format: @@ -48,7 +57,9 @@ limited set of known propetries with specefics format: Sanitize value od CSS `color` property to safe format, example: ```php -echo ''; +use JakubBoucek\Escape\EscapeCss; + +echo ''; ``` It's prevent attact by escaping color value context. @@ -57,6 +68,20 @@ It's prevent attact by escaping color value context. Package supports escaping HTML with included [safe HTML content](https://doc.nette.org/en/3.1/html-elements). +Usage: +```php +use JakubBoucek\Escape\Escape; +use Nette\Utils\Html; + +$avatarUrl = 'http:/example.com/avatar.png'; +$username = 'John Doe '; + +$avatarImage = Html::el('img')->src($avatarUrl)->width(16); +echo Escape::html($avatarImage, ' ', $username); + +// John Doe <script>hack</script> +``` + ## Output without any escaping In some cases you intentionally want to output variable without any escaping, but somebody other or your future self may diff --git a/src/Escape.php b/src/Escape.php index 5109d01..e41eddc 100644 --- a/src/Escape.php +++ b/src/Escape.php @@ -19,18 +19,25 @@ class Escape { /** - * Escapes string for use everywhere inside HTML (except for comments). - * @param string|HtmlStringable|IHtmlString|mixed $data + * Escapes strings for use everywhere inside HTML (except for comments) and concatenate it to string. + * @param string|HtmlStringable|IHtmlString|mixed ...$data * @return string * * @link https://api.nette.org/2.4/source-Latte.Runtime.Filters.php.html#27-35 */ - public static function html($data): string + public static function html(...$data): string { - if ($data instanceof HtmlStringable || $data instanceof IHtmlString) { - return (string)$data; + $output = ''; + + foreach ($data as $item) { + if ($item instanceof HtmlStringable || $item instanceof IHtmlString) { + $output .= $item; + } else { + $output .= htmlspecialchars((string)$item, ENT_QUOTES | ENT_HTML5 | ENT_SUBSTITUTE); + } } - return htmlspecialchars((string)$data, ENT_QUOTES | ENT_HTML5 | ENT_SUBSTITUTE); + + return $output; } /** diff --git a/tests/EscapeTest.php b/tests/EscapeTest.php index 9d0a876..8a84a2c 100644 --- a/tests/EscapeTest.php +++ b/tests/EscapeTest.php @@ -18,31 +18,40 @@ class EscapeTest extends TestCase public function getHtmlArgs(): array { return [ - ['', null], - ['', ''], - ['1', 1], - ['string', 'string'], - ['<br>', '
'], - ['< & ' " >', '< & \' " >'], - ['&quot;', '"'], - ['`hello', '`hello'], - ["foo \u{FFFD} bar", "foo \u{D800} bar"], // invalid codepoint high surrogates - ["foo \u{FFFD}" bar", "foo \xE3\x80\x22 bar"], // stripped UTF - ['Hello World', 'Hello World'], - ['Hello <World>', 'Hello '], - ['" ' < > & �', "\" ' < > & \x8F"], - ['`hello`', '`hello`'], - ['` <br> `', '`
`'], - ['Foo
bar', Html::fromHtml('Foo
bar')] + ['', []], + ['', [null]], + ['', ['']], + ['1', [1]], + ['string', ['string']], + ['<br>', ['
']], + ['< & ' " >', ['< & \' " >']], + ['&quot;', ['"']], + ['`hello', ['`hello']], + ["foo \u{FFFD} bar", ["foo \u{D800} bar"]], // invalid codepoint high surrogates + ["foo \u{FFFD}" bar", ["foo \xE3\x80\x22 bar"]], // stripped UTF + ['Hello World', ['Hello World']], + ['Hello <World>', ['Hello ']], + ['Hello World', [Html::fromText('Hello World')]], + ['Hello <World>', [Html::fromText('Hello ')]], + ['" ' < > & �', ["\" ' < > & \x8F"]], + ['`hello`', ['`hello`']], + ['` <br> `', ['`
`']], + ['Foo
bar', [Html::fromHtml('Foo
bar')]], + ['Foo<br>bar', [Html::fromText('Foo
bar')]], + ['Hello <World>Hello <World>', ['Hello ', 'Hello ']], + ['Hello <World>Hello ', ['Hello ', Html::fromHtml('Hello ')]], + ['Hello Hello <World>', [Html::fromHtml('Hello '), 'Hello ']], + ['Hello Hello ', [Html::fromHtml('Hello '), Html::fromHtml('Hello ')]], ]; } /** + * @param array $data * @dataProvider getHtmlArgs */ - public function testHtml(string $expected, $data): void + public function testHtml(string $expected, array $data): void { - Assert::same($expected, Escape::html($data)); + Assert::same($expected, Escape::html(...$data)); } public function getHtmlAttrArgs(): array