From 435b9f4541a140d426755d4f25f065781f9fa09b Mon Sep 17 00:00:00 2001
From: Lukas Bestle <lukas@getkirby.com>
Date: Tue, 23 Aug 2022 22:18:14 +0200
Subject: [PATCH] Template escaping

---
 site/snippets/blocks/image.php | 9 +++++----
 site/snippets/footer.php       | 2 +-
 site/snippets/header.php       | 6 +++---
 site/snippets/intro.php        | 4 ++--
 site/snippets/layouts.php      | 4 ++--
 site/snippets/note.php         | 2 +-
 site/templates/about.php       | 6 +++---
 site/templates/default.php     | 2 +-
 site/templates/home.php        | 2 +-
 site/templates/note.php        | 8 ++++----
 site/templates/notes.php       | 2 +-
 site/templates/photography.php | 2 +-
 12 files changed, 25 insertions(+), 24 deletions(-)

diff --git a/site/snippets/blocks/image.php b/site/snippets/blocks/image.php
index 51994c9..577a3ac 100644
--- a/site/snippets/blocks/image.php
+++ b/site/snippets/blocks/image.php
@@ -23,10 +23,11 @@ $src      = null;
 $lightbox = $link->isEmpty();
 
 if ($block->location() == 'web') {
-    $src = $block->src();
+    $src      = $block->src();
+    $srcValue = $src->escape('attr');
 } elseif ($image = $block->image()->toFile()) {
     $alt = $alt->or($image->alt());
-    $src = $image->url();
+    $src = $srcValue = $image->url();
 }
 
 if ($ratio !== 'auto') {
@@ -44,10 +45,10 @@ $attrs = attr([
 ]);
 
 ?>
-<?php if ($src): ?>
+<?php if ($srcValue): ?>
 <figure>
   <a <?= $attrs ?>>
-    <img src="<?= $src ?>" alt="<?= $alt ?>">
+    <img src="<?= $srcValue ?>" alt="<?= esc($alt, 'attr') ?>">
   </a>
 
   <?php if ($caption->isNotEmpty()): ?>
diff --git a/site/snippets/footer.php b/site/snippets/footer.php
index 769e836..0540f2c 100644
--- a/site/snippets/footer.php
+++ b/site/snippets/footer.php
@@ -23,7 +23,7 @@
         <h2>Pages</h2>
         <ul>
           <?php foreach ($site->children()->listed() as $example): ?>
-          <li><a href="<?= $example->url() ?>"><?= $example->title()->html() ?></a></li>
+          <li><a href="<?= $example->url() ?>"><?= $example->title()->esc() ?></a></li>
           <?php endforeach ?>
         </ul>
       </div>
diff --git a/site/snippets/header.php b/site/snippets/header.php
index 762da8a..7daf30e 100644
--- a/site/snippets/header.php
+++ b/site/snippets/header.php
@@ -24,7 +24,7 @@
     site and the title of the current page
   */
   ?>
-  <title><?= $site->title() ?> | <?= $page->title() ?></title>
+  <title><?= $site->title()->esc() ?> | <?= $page->title()->esc() ?></title>
 
   <?php
   /*
@@ -60,7 +60,7 @@
     */
     ?>
     <a class="logo" href="<?= $site->url() ?>">
-      <?= $site->title()->html() ?>
+      <?= $site->title()->esc() ?>
     </a>
 
     <nav class="menu">
@@ -78,7 +78,7 @@
       */
       ?>
       <?php foreach ($site->children()->listed() as $item): ?>
-      <a <?php e($item->isOpen(), 'aria-current ') ?> href="<?= $item->url() ?>"><?= $item->title()->html() ?></a>
+      <a <?php e($item->isOpen(), 'aria-current ') ?> href="<?= $item->url() ?>"><?= $item->title()->esc() ?></a>
       <?php endforeach ?>
       <?php snippet('social') ?>
     </nav>
diff --git a/site/snippets/intro.php b/site/snippets/intro.php
index 3409cdd..28680e3 100644
--- a/site/snippets/intro.php
+++ b/site/snippets/intro.php
@@ -13,8 +13,8 @@
 */
 ?>
 <header class="h1">
-  <h1><?= $page->headline()->or($page->title())->html() ?></h1>
+  <h1><?= $page->headline()->or($page->title())->esc() ?></h1>
   <?php if ($page->subheadline()->isNotEmpty()): ?>
-  <p class="color-grey"><?= $page->subheadline()->html() ?></p>
+  <p class="color-grey"><?= $page->subheadline()->esc() ?></p>
   <?php endif ?>
 </header>
diff --git a/site/snippets/layouts.php b/site/snippets/layouts.php
index 8c65174..8449779 100644
--- a/site/snippets/layouts.php
+++ b/site/snippets/layouts.php
@@ -11,9 +11,9 @@
 */
 ?>
 <?php foreach ($field->toLayouts() as $layout): ?>
-<section class="grid margin-xl" id="<?= $layout->id() ?>" style="--gutter: 1.5rem">
+<section class="grid margin-xl" id="<?= esc($layout->id(), 'attr') ?>" style="--gutter: 1.5rem">
   <?php foreach ($layout->columns() as $column): ?>
-  <div class="column" style="--columns:<?= $column->span() ?>">
+  <div class="column" style="--columns:<?= esc($column->span(), 'css') ?>">
     <div class="text">
       <?= $column->blocks() ?>
     </div>
diff --git a/site/snippets/note.php b/site/snippets/note.php
index ad801bd..4873f4a 100644
--- a/site/snippets/note.php
+++ b/site/snippets/note.php
@@ -18,7 +18,7 @@
         <?php endif ?>
       </figure>
 
-      <h2 class="note-excerpt-title"><?= $note->title() ?></h2>
+      <h2 class="note-excerpt-title"><?= $note->title()->esc() ?></h2>
       <time class="note-excerpt-date" datetime="<?= $note->published('c') ?>"><?= $note->published() ?></time>
     </header>
     <?php if (($excerpt ?? true) !== false): ?>
diff --git a/site/templates/about.php b/site/templates/about.php
index cd7bc1b..3e6851b 100644
--- a/site/templates/about.php
+++ b/site/templates/about.php
@@ -33,15 +33,15 @@
     </section>
     <section class="column text" style="--columns: 4">
       <h3>Email</h3>
-      <p><?= html::email($page->email()) ?></p>
+      <p><?= Html::email($page->email()) ?></p>
       <h3>Phone</h3>
-      <p><?= html::tel($page->phone()) ?></p>
+      <p><?= Html::tel($page->phone()) ?></p>
     </section>
     <section class="column text" style="--columns: 4">
       <h3>On the web</h3>
       <ul>
         <?php foreach ($page->social()->toStructure() as $social): ?>
-        <li><?= html::a($social->url(), $social->platform()) ?></li>
+        <li><?= Html::a($social->url(), $social->platform()) ?></li>
         <?php endforeach ?>
       </ul>
     </section>
diff --git a/site/templates/default.php b/site/templates/default.php
index 0eeef81..ca1afbd 100644
--- a/site/templates/default.php
+++ b/site/templates/default.php
@@ -21,7 +21,7 @@
 <?php snippet('header') ?>
 
 <article>
-  <h1 class="h1"><?= $page->title()->html() ?></h1>
+  <h1 class="h1"><?= $page->title()->esc() ?></h1>
   <div class="text">
     <?= $page->text()->kt() ?>
   </div>
diff --git a/site/templates/home.php b/site/templates/home.php
index 544e47c..2adf29e 100644
--- a/site/templates/home.php
+++ b/site/templates/home.php
@@ -48,7 +48,7 @@
           <?php endif ?>
           <figcaption>
             <span>
-              <span class="example-name"><?= $album->title()->html() ?></span>
+              <span class="example-name"><?= $album->title()->esc() ?></span>
             </span>
           </figcaption>
         </figure>
diff --git a/site/templates/note.php b/site/templates/note.php
index eef9020..8d775c3 100644
--- a/site/templates/note.php
+++ b/site/templates/note.php
@@ -31,9 +31,9 @@
 
 <article class="note">
   <header class="note-header h1">
-    <h1 class="note-title"><?= $page->title()->html() ?></h1>
+    <h1 class="note-title"><?= $page->title()->esc() ?></h1>
     <?php if ($page->subheading()->isNotEmpty()): ?>
-    <p class="note-subheading"><small><?= $page->subheading()->html() ?></small></p>
+    <p class="note-subheading"><small><?= $page->subheading()->esc() ?></small></p>
     <?php endif ?>
   </header>
   <div class="note text">
@@ -44,13 +44,13 @@
     <ul class="note-tags">
       <?php foreach ($tags as $tag): ?>
       <li>
-        <a href="<?= $page->parent()->url(['params' => ['tag' => $tag]]) ?>"><?= html($tag) ?></a>
+        <a href="<?= $page->parent()->url(['params' => ['tag' => $tag]]) ?>"><?= esc($tag) ?></a>
       </li>
       <?php endforeach ?>
     </ul>
     <?php endif ?>
 
-    <time class="note-date" datetime="<?= $page->date('c') ?>">Published on <?= $page->date() ?></time>
+    <time class="note-date" datetime="<?= $page->date()->toDate('c') ?>">Published on <?= $page->date()->esc() ?></time>
   </footer>
 
   <?php snippet('prevnext') ?>
diff --git a/site/templates/notes.php b/site/templates/notes.php
index ebb8b22..c233a45 100644
--- a/site/templates/notes.php
+++ b/site/templates/notes.php
@@ -26,7 +26,7 @@
 <?php if (empty($tag) === false): ?>
 <header class="h1">
   <h1>
-    <small>Tag:</small> <?= html($tag) ?>
+    <small>Tag:</small> <?= esc($tag) ?>
     <a href="<?= $page->url() ?>" aria-label="All Notes">&times;</a>
   </h1>
 </header>
diff --git a/site/templates/photography.php b/site/templates/photography.php
index fb9364f..09ac34c 100644
--- a/site/templates/photography.php
+++ b/site/templates/photography.php
@@ -30,7 +30,7 @@
           <?= ($cover = $project->cover()) ? $cover->crop(400, 500) : null ?>
         </span>
         <figcaption class="img-caption">
-          <?= $project->title()->html() ?>
+          <?= $project->title()->esc() ?>
         </figcaption>
       </figure>
     </a>