fix: html encode backslashes if used with escape filter or autoescape

mozilla · Apr 12, 2023 · b334e33 · b334e33
1 parent fd50090
commit b334e33
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 5 deletions.
diff --git a/nunjucks/src/lib.js b/nunjucks/src/lib.js
@@ -8,10 +8,11 @@ var escapeMap = {
   '"': '&quot;',
   '\'': '&#39;',
   '<': '&lt;',
-  '>': '&gt;'
+  '>': '&gt;',
+  '\\': '&#92;',
 };
 
-var escapeRegex = /[&"'<>]/g;
+var escapeRegex = /[&"'<>\\]/g;
 
 var exports = module.exports = {};
 

diff --git a/tests/compiler.js b/tests/compiler.js
@@ -1976,6 +1976,16 @@
       finish(done);
     });
 
+    it('should autoescape backslashes', function(done) {
+      equal(
+        '{{ foo }}',
+        { foo: 'foo \\\' bar' },
+        { autoescape: true },
+        'foo &#92;&#39; bar');
+
+      finish(done);
+    });
+
     it('should not autoescape when extension set false', function(done) {
       function TestExtension() {
         // jshint validthis: true
@@ -2031,7 +2041,7 @@
     });
 
     it('should render regexs', function(done) {
-      equal('{{ r/name [0-9] \\// }}',
+      equal('{{ r/name [0-9] \\// }}', {}, { autoescape: false },
         '/name [0-9] \\//');
 
       equal('{{ r/x/gi }}',

diff --git a/tests/filters.js b/tests/filters.js
@@ -108,9 +108,9 @@
 
     it('escape', function() {
       equal(
-        '{{ "<html>" | escape }}', {},
+        '{{ "<html>\\\\" | escape }}', {},
         { autoescape: false },
-        '&lt;html&gt;');
+        '&lt;html&gt;&#92;');
     });
 
     it('escape skip safe', function() {