Skip to content

Improper escaping in textareas causes data loss #409

Description

@artfulrobot

Version: 3.1.1

Bug Description

This line changes data (i.e. content in <textarea> tag):
https://github.com/nette/latte/blob/v3.1.1/src/Latte/Runtime/HtmlHelpers.php#L48

e.g. If your value is hello {{you}} then latte tpl like <textarea>{$value}</textarea> renders

<textarea>hello {<!-- -->{you}}</textarea> which is not correct and since textareas are used to hold data, data can be lost. For a real world example, I have a complex Mermaid diagram in a database. When the value is output by latte, the injected raw html comments cause a crash in mermaid because they corrupt the value.

Steps To Reproduce

https://fiddle.nette.org/latte wasn't generating a URL when clicking Save (I assume that's what it's supposed to have done), but you can see the output:

Image

Expected Behavior

Rendered HTML should be <textarea>hello {{you}}</textarea>

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions