Skip to content

Commit

Permalink
PhpWriter: complex expression in strings prohibited in sandbox mode
Browse files Browse the repository at this point in the history
  • Loading branch information
dg committed Jan 4, 2022
1 parent a69d0b9 commit 9e1b4f7
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 0 deletions.
8 changes: 8 additions & 0 deletions src/Latte/Compiler/PhpWriter.php
Original file line number Diff line number Diff line change
Expand Up @@ -226,6 +226,14 @@ public function validateTokens(MacroTokens $tokens): void
} elseif ($tokens->isCurrent('`')) {
throw new CompileException('Backtick operator is forbidden in Latte.');

} elseif (
$this->policy
&& $tokens->isCurrent($tokens::T_STRING)
&& $tokenValue[0] === '"'
&& (strpos($tokenValue, '{$') !== false || strpos($tokenValue, '${') !== false)
) {
throw new CompileException('Forbidden complex expressions in strings.');

} elseif (
Helpers::startsWith($tokenValue, '$ʟ_')
|| ($this->policy && $tokens->isCurrent('$this'))
Expand Down
12 changes: 12 additions & 0 deletions tests/Latte/Policy.violations.phpt
Original file line number Diff line number Diff line change
Expand Up @@ -128,3 +128,15 @@ Assert::exception(function () use ($latte) {
Assert::exception(function () use ($latte) {
$latte->compile('{do new stdClass}');
}, Latte\CompileException::class, "Forbidden keyword 'new' inside tag.");

Assert::exception(function () use ($latte) {
$latte->compile('{="{$var}"}');
}, Latte\CompileException::class, 'Forbidden complex expressions in strings.');

Assert::exception(function () use ($latte) {
$latte->compile('{="${var}"}');
}, Latte\CompileException::class, 'Forbidden complex expressions in strings.');

Assert::noError(function () use ($latte) {
$latte->compile('{=\'${var}\'}');
});

0 comments on commit 9e1b4f7

Please sign in to comment.