Escaping attributes and adding unit test (see #49)

Gregwar · Mar 26, 2019 · 3025618 · 3025618
1 parent 936a19d
commit 3025618
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 1 deletion.
diff --git a/Fields/Field.php b/Fields/Field.php
@@ -314,7 +314,7 @@ public function getHtml()
         $html = '<input ';
 
         foreach ($this->attributes as $name => $value) {
-            $html.= $name.'="'.$value.'" ';
+            $html.= $name.'="'.htmlspecialchars($value).'" ';
         }
 
         if ($this->required) {

diff --git a/tests/FormTests.php b/tests/FormTests.php
@@ -261,6 +261,24 @@ public function testAccessingNotExistingField()
         $form->getField('titi');
     }
 
+    public function testQuotesAttributes()
+    {
+        $form = $this->getForm('quotes.html');
+        $field = $form->getField('xxx');
+
+        $this->assertTrue($field->hasAttribute('foo'));
+        $this->assertEquals($field->getAttribute('foo'), 'bar baz "bax"');
+
+        $doc = new DOMDocument();
+        $doc->loadHTML("$form");
+        $element = $doc->getElementById('theinput');
+
+        $this->assertFalse($element == null);
+        $this->assertTrue($element->hasAttribute('foo'));
+        $this->assertEquals($element->getAttribute('foo'), 'bar baz "bax"');
+
+    }
+
     public function testPlaceholder()
     {
         $form = $this->getForm('placeholder.html');

diff --git a/tests/files/form/quotes.html b/tests/files/form/quotes.html
@@ -0,0 +1,3 @@
+<form method="post">
+    <input id="theinput" type="text" name="xxx" foo='bar baz "bax"' />
+</form>