Fixed a number of autoescape issues #368

CHANGELOG.md

@@ -1,3 +1,9 @@
+# v4.0.0-rc.4
+## mm/dd/2019
+
+1. [](#bugfix)
+    * Fixed a number of escaping issues [#368](https://github.com/getgrav/grav-plugin-form/issues/368)
+
 # v4.0.0-rc.3
 ## 08/27/2019
 

templates/forms/default/field.html.twig

@@ -92,7 +92,7 @@
 
 {# Field Label #}
 {% set form_field_label = field.markdown ? field.label|markdown(false) : field.label %}
-{% set form_field_label = form_field_label|default(field.name|capitalize)|t|e('html_attr') %}
+{% set form_field_label = form_field_label|default(field.name|capitalize)|t|e %}
 
 {# Field Help #}
 {% if field.help %}
@@ -184,35 +184,35 @@
   {% embed field_layout_template|default('forms/layouts/field.html.twig') %}
 
     {% block contents %}
-     {{ embed_field_contents|trim ? embed_field_contents|trim : parent() }}
+     {{ embed_field_contents|trim ? embed_field_contents|trim|raw : parent() }}
     {% endblock %}
 
     {% block label %}
-      {{ embed_field_label|trim ? embed_field_label|trim : parent() }}
+      {{ embed_field_label|trim ? embed_field_label|trim|raw : parent() }}
     {% endblock %}
 
     {% block global_attributes %}
-      {{ embed_field_global_attributes|trim ? embed_field_global_attributes|trim : parent() }}
+      {{ embed_field_global_attributes|trim ? embed_field_global_attributes|trim|raw : parent() }}
     {% endblock %}
 
     {% block group %}
-      {{ embed_field_group|trim ? embed_field_group|trim : parent() }}
+      {{ embed_field_group|trim ? embed_field_group|trim|raw : parent() }}
     {% endblock %}
 
     {% block input %}
-      {{ embed_field_input|trim ? embed_field_input|trim : parent() }}
+      {{ embed_field_input|trim ? embed_field_input|trim|raw : parent() }}
     {% endblock %}
 
     {% block input_attributes %}
-      {{ embed_field_input_attributes|trim ? embed_field_input_attributes|trim : parent() }}
+      {{ embed_field_input_attributes|trim ? embed_field_input_attributes|trim|raw : parent() }}
     {% endblock %}
 
     {% block prepend %}
-      {{ embed_field_prepend|trim ? embed_field_prepend|trim : parent() }}
+      {{ embed_field_prepend|trim ? embed_field_prepend|trim|raw : parent() }}
     {% endblock %}
 
     {% block append %}
-      {{ embed_field_append|trim ? embed_field_append|trim : parent() }}
+      {{ embed_field_append|trim ? embed_field_append|trim|raw : parent() }}
     {% endblock %}
 
   {% endembed %}

templates/forms/default/form.html.twig

@@ -112,23 +112,22 @@
   {%- endblock %}
 
   {% block embed_fields %}
-    {{ override_inner_markup_fields_start }}
-
-    {{ override_inner_markup_fields }}
+    {{ override_inner_markup_fields_start|raw }}
+    {{ override_inner_markup_fields|raw }}
 
     {% include "forms/fields/formname/formname.html.twig" %}
     {% include "forms/fields/formtask/formtask.html.twig" %}
     {% include 'forms/fields/uniqueid/uniqueid.html.twig' %}
     {{ nonce_field(form.getNonceAction() ?? 'form', form.getNonceName() ?? 'form-nonce')|raw }}
 
-    {{ override_inner_markup_fields_end }}
+    {{ override_inner_markup_fields_end|raw }}
   {% endblock %}
 
   {% block embed_buttons %}
-    {{ override_inner_markup_buttons_start }}
+    {{ override_inner_markup_buttons_start|raw }}
 
     {% for button in form.buttons %}
-      {% if button.outerclasses is defined %}<div class=" {{ button.outerclasses }}">{% endif %}
+      {% if button.outerclasses is defined %}<div class="{{ button.outerclasses }}">{% endif %}
 
       {% if button.url %}
       {% set button_url = button.url starts with 'http' ? button.url : base_url ~ button.url %}
@@ -151,9 +150,9 @@
         {% block embed_button_content -%}
           {%- set button_value = button.value|t|default('Submit') -%}
           {%- if button.html -%}
-            {{- button_value|raw|trim -}}
+            {{- button_value|trim|raw -}}
           {%- else -%}
-            {{- button_value|trim -}}
+            {{- button_value|trim|e -}}
           {%- endif -%}
         {%- endblock %}
 

templates/forms/layouts/button.html.twig

@@ -1,12 +1,12 @@
 {% set button_tag %}
-  <button
-      {% block embed_button_core %}{% endblock %}
-      {% block embed_button_classes %}{% endblock %}
-  >{%- block embed_button_content -%}{%- endblock -%}</button>
+<button
+    {% block embed_button_core %}{% endblock %}
+    {% block embed_button_classes %}{% endblock %}
+>{%- block embed_button_content -%}{%- endblock -%}</button>
 {% endset %}
 
 {% if button_url %}
-  <a href="{{ button_url }}">{{ button_tag|trim }}</a>
+  <a href="{{ button_url|e }}">{{ button_tag|trim|raw }}</a>
 {% else %}
-  {{ button_tag|trim }}
+  {{ button_tag|trim|raw }}
 {% endif %}

templates/forms/layouts/field.html.twig

@@ -6,7 +6,7 @@
         <label class="{{ layout_form_field_label_classes }}{{ form_field_label_trim }}" {% if field.id %}for="{{ form_field_for }}"{% endif %}>
           {%- block label -%}
             {%- if form_field_help -%}
-              <span class="tooltip" data-tooltip="{{ form_field_help }}">{{ form_field_label }}</span>
+              <span class="tooltip" data-tooltip="{{ form_field_help|e }}">{{ form_field_label }}</span>
             {%- else -%}
               {{ form_field_label }}
             {%- endif -%}
@@ -26,14 +26,13 @@
             {% block prepend %}{% endblock prepend %}
             <input
               name="{{ (scope ~ field.name)|fieldName }}"
-              value="{{ value|join(', ')|e('html_attr') }}"
-
+              value="{{ value|join(', ')|e }}"
               {% block input_attributes %}{% endblock %}
             />
             {% block append %}{% endblock append %}
             {% if inline_errors and errors %}
             <div class="{{ form_field_inline_error_classes }}">
-              <p class="form-message"><i class="fa fa-exclamation-circle"></i> {{ errors|first }}</p>
+              <p class="form-message"><i class="fa fa-exclamation-circle"></i> {{ errors|first|raw }}</p>
             </div>
             {% endif %}
           </div>
@@ -42,7 +41,7 @@
       {% if field.description %}
         <div class="{{ form_field_extra_wrapper_classes }}">
           <span class="form-description">
-            {{ form_field_description }}
+            {{ form_field_description|raw }}
           </span>
         </div>
       {% endif %}