Improves content escaping logic via INI settings

octobercms · Aug 31, 2023 · 44fe169 · 44fe169
1 parent aa3388b
commit 44fe169
Showing 1 changed file with 15 additions and 4 deletions.
diff --git a/src/Halcyon/Processors/SectionParser.php b/src/Halcyon/Processors/SectionParser.php
@@ -50,13 +50,14 @@ public static function render($data, $options = [])
         $trim($settings);
 
         // Build content
-        //
         $content = [];
 
+        // Settings section
         if ($settings) {
-            $content[] = $iniParser->render($settings);
+            $content[] = self::cleanContentSections($iniParser->render($settings));
         }
 
+        // Code section
         if ($code) {
             if ($wrapCodeInPhpTags) {
                 $code = preg_replace('/^\<\?php/', '', $code);
@@ -71,9 +72,10 @@ public static function render($data, $options = [])
             }
         }
 
-        // Strip content separator from content as a method of escape
-        $content[] = implode('', self::splitContentSections($markup));
+        // Content section
+        $content[] = self::cleanContentSections($markup);
 
+        // Assemble template content
         $content = trim(implode(PHP_EOL.self::SECTION_SEPARATOR.PHP_EOL, $content));
 
         return $content;
@@ -182,6 +184,15 @@ public static function parseOffset($content)
         return $result;
     }
 
+    /**
+     * cleanContentSections ensures the content does not attempt to escape its section
+     * by using the separator sequence. The content separator is simply removed.
+     */
+    protected static function cleanContentSections($content)
+    {
+        return implode('', self::splitContentSections($content));
+    }
+
     /**
      * splitContentSections splits a block of content in to sections,
      * split by the section separator (==).