/**
* @test
*/
public function variablesAreNotEscapedIfEscapingIsDisabled()
{
$standaloneView = new StandaloneView(null, $this->standaloneViewNonce);
$standaloneView->assign('name', 'Sebastian <script>alert("dangerous");</script>');
$standaloneView->setTemplateSource('{escapingEnabled=false}Hello {name}.');
$expected = 'Hello Sebastian <script>alert("dangerous");</script>.';
$actual = $standaloneView->render();
$this->assertSame($expected, $actual);
}
/**
* Tests the wrong interceptor behavior described in ticket FLOW-430
* Basically the rendering should be consistent regardless of cache flushes,
* but due to the way the interceptor configuration was build the second second
* rendering was bound to fail, this should never happen.
*
* @test
*/
public function interceptorsWorkInPartialRenderedInStandaloneSection()
{
$httpRequest = Request::create(new Uri('http://localhost'));
$actionRequest = new ActionRequest($httpRequest);
$actionRequest->setFormat('html');
$standaloneView = new StandaloneView($actionRequest, $this->standaloneViewNonce);
$standaloneView->assign('hack', '<h1>HACK</h1>');
$standaloneView->setTemplatePathAndFilename(__DIR__ . '/Fixtures/NestedRenderingConfiguration/TemplateWithSection.txt');
$expected = 'Christian uses <h1>HACK</h1>';
$actual = trim($standaloneView->renderSection('test'));
$this->assertSame($expected, $actual, 'First rendering was not escaped.');
// To avoid any side effects we create a separate accessible mock to find the cache identifier for the partial
$dummyTemplateView = $this->getAccessibleMock(StandaloneView::class, null, array($actionRequest, $this->standaloneViewNonce));
$partialCacheIdentifier = $dummyTemplateView->_call('createIdentifierForFile', __DIR__ . '/Fixtures/NestedRenderingConfiguration/Partials/Test.html', 'partial_Test');
$templateCache = $this->objectManager->get(CacheManager::class)->getCache('Fluid_TemplateCache');
$templateCache->remove($partialCacheIdentifier);
$expected = 'Christian uses <h1>HACK</h1>';
$actual = trim($standaloneView->renderSection('test'));
$this->assertSame($expected, $actual, 'Second rendering was not escaped.');
}
/**
* @test
*/
public function variablesAreNotEscapedIfRequestFormatIsNotHtml()
{
$httpRequest = Request::create(new Uri('http://localhost'));
$actionRequest = new ActionRequest($httpRequest);
$actionRequest->setFormat('txt');
$standaloneView = new StandaloneView($actionRequest, $this->standaloneViewNonce);
$standaloneView->assign('name', 'Sebastian <script>alert("dangerous");</script>');
$standaloneView->setTemplatePathAndFilename(__DIR__ . '/Fixtures/TestTemplate.txt');
$expected = 'This is a test template. Hello Sebastian <script>alert("dangerous");</script>.';
$actual = $standaloneView->render();
$this->assertSame($expected, $actual);
}
