Filter::renderHtmlAttribute & renderXmlAttribute: added name validation

Author: dg

src/Latte/Runtime/Filters.php

@@ -279,7 +279,10 @@ public static function safeTag(mixed $name, bool $xml = false): string
 	 */
 	public static function renderHtmlAttribute(string $name, mixed $value): ?string
 	{
-		if ($value === null || $value === false) {
+		if (!preg_match('~^[^\p{C} "\'>=/]+$~Du', $name)) {
+			throw new Latte\RuntimeException("Invalid HTML attribute name '$name'");
+
+		} elseif ($value === null || $value === false) {
 			return null;
 
 		} elseif ($value === true) {
@@ -322,7 +325,11 @@ public static function renderHtmlAttribute(string $name, mixed $value): ?string
 	 */
 	public static function renderXmlAttribute(string $name, mixed $value): ?string
 	{
-		if ($value === null || $value === false) {
+		// https://www.w3.org/TR/xml/#NT-Name
+		if (!preg_match('~^[:A-Z_a-z\x{C0}-\x{D6}\x{D8}-\x{F6}\x{F8}-\x{2FF}\x{370}-\x{37D}\x{37F}-\x{1FFF}\x{200C}-\x{200D}\x{2070}-\x{218F}\x{2C00}-\x{2FEF}\x{3001}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFFD}\x{10000}-\x{EFFFF}][\-\.0-9:A-Z_a-z\x{B7}\x{C0}-\x{D6}\x{D8}-\x{F6}\x{F8}-\x{2FF}\x{300}-\x{36F}\x{370}-\x{37D}\x{37F}-\x{1FFF}\x{200C}-\x{200D}\x{203F}-\x{2040}\x{2070}-\x{218F}\x{2C00}-\x{2FEF}\x{3001}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFFD}\x{10000}-\x{EFFFF}]*$~Du', $name)) {
+			throw new Latte\RuntimeException("Invalid XML attribute name '$name'");
+
+		} elseif ($value === null || $value === false) {
 			return null;
 
 		} elseif ($value === true) {

tests/filters/renderHtmlAttribute.phpt

@@ -60,3 +60,16 @@ test('special values (numbers, Infinity, NaN)', function () {
 	Assert::same("a=\"foo \u{D800} bar\"", Filters::renderHtmlAttribute('a', "foo \u{D800} bar")); // invalid codepoint high surrogates
 	Assert::same("a='foo \xE3\x80\x22 bar'", Filters::renderHtmlAttribute('a', "foo \xE3\x80\x22 bar")); // stripped UTF
 });
+
+
+test('name validity', function () {
+	Assert::type('string', Filters::renderHtmlAttribute('_name', ''));
+	Assert::type('string', Filters::renderHtmlAttribute('42name', ''));
+	Assert::type('string', Filters::renderHtmlAttribute('元素', '')); // Chinese for "element"
+	Assert::type('string', Filters::renderHtmlAttribute('-my&HTML_element.name:2', ''));
+
+	Assert::exception(fn() => Filters::renderHtmlAttribute('', ''), Latte\RuntimeException::class);
+	Assert::exception(fn() => Filters::renderHtmlAttribute("name\n", ''), Latte\RuntimeException::class);
+	Assert::exception(fn() => Filters::renderHtmlAttribute('name name', ''), Latte\RuntimeException::class);
+	Assert::exception(fn() => Filters::renderHtmlAttribute('name"name', ''), Latte\RuntimeException::class);
+});

tests/filters/renderXmlAttribute.phpt

@@ -41,3 +41,18 @@ test('special values (numbers, Infinity, NaN)', function () {
 	Assert::same("a=\"foo \u{FFFD} bar\"", Filters::renderXmlAttribute('a', "foo \u{D800} bar")); // invalid codepoint high surrogates
 	Assert::same("a=\"foo \u{FFFD}" bar\"", Filters::renderXmlAttribute('a', "foo \xE3\x80\x22 bar")); // stripped UTF
 });
+
+
+test('name validity', function () {
+	Assert::type('string', Filters::renderXmlAttribute('_name', ''));
+	Assert::type('string', Filters::renderXmlAttribute('元素', '')); // Chinese for "element"
+	Assert::type('string', Filters::renderXmlAttribute(':my-XML_element.name:2', ''));
+
+	Assert::exception(fn() => Filters::renderXmlAttribute('', ''), Latte\RuntimeException::class);
+	Assert::exception(fn() => Filters::renderXmlAttribute("name\n", ''), Latte\RuntimeException::class);
+	Assert::exception(fn() => Filters::renderXmlAttribute('1name', ''), Latte\RuntimeException::class);
+	Assert::exception(fn() => Filters::renderXmlAttribute('-name', ''), Latte\RuntimeException::class);
+	Assert::exception(fn() => Filters::renderXmlAttribute('name name', ''), Latte\RuntimeException::class);
+	Assert::exception(fn() => Filters::renderXmlAttribute('name&name', ''), Latte\RuntimeException::class);
+	Assert::exception(fn() => Filters::renderXmlAttribute('name"name', ''), Latte\RuntimeException::class);
+});