Skip to content

Instantly share code, notes, and snippets.

@morozov

morozov/compiler.end_context.php

Created November 6, 2015 00:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save morozov/64381f06bbf2c4af6737 to your computer and use it in GitHub Desktop.
Save morozov/64381f06bbf2c4af6737 to your computer and use it in GitHub Desktop.
Download ZIP
Kind of automatic escaping in Smarty
Raw
compiler.end_context.php
<?php
function smarty_compiler_end_context($_, Smarty_Compiler $compiler)
{
array_shift($compiler->default_modifiers);
}
Raw
compiler.start_context.php
<?php
function smarty_compiler_start_context($type, Smarty_Compiler $compiler)
{
switch ($type) {
case 'javascript':
$modifier = 'escape:javascript';
break;
default:
$compiler->trigger_error('Unknown context type ' . $type);
return;
}
array_unshift($compiler->default_modifiers, $modifier);
}
Raw
main.php
<?php
$smarty = new Sugar_Smarty();
$smarty->default_modifiers = array('escape:\'html\':\'UTF-8\'');
$smarty->assign('var', '<script>
alert("xss");
</script>');
$smarty->display('test.tpl');
Raw
test.tpl
<div>Hey, this is {$var}</div>
<button data-var="{$var}" onclick="{start_context javascript}alert('{$var}'){end_context}">Click me, I'm {$var}</button>
<script>{start_context javascript}
var name = "{$var}";
alert(name);
{end_context}</script>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment