Tag Escaping (#33)

* Bump version to 2.0 since we have a breaking change

* Add escaping by default to helper tag and explict excludes

Brings the helper tag inline with InteroplationTag

* Add and update tests for escaping and using FluentAssertions

* Update readme for esaping

* Bump versions to latest for internal and test packages

Author: Romanx

readme.md

@@ -12,7 +12,8 @@ var stubble = new StubbleBuilder()
     .Configure(conf => conf.AddHelpers(helpers))
     .Build();
 
-var result = stubble.Render("{{FormatCurrency Count}}", new { Count = 100.26m });
+// Note the '{{{' here to escape the £ symbol, by default the result is HtmlEscaped like the standard mustache tag
+var result = stubble.Render("{{{FormatCurrency Count}}}", new { Count = 100.26m });
 
 Assert.Equal("£100.26", result);
 ```
@@ -41,7 +42,7 @@ var stubble = new StubbleBuilder()
     .Configure(conf => conf.AddHelpers(helpers))
     .Build();
 
-var result = stubble.Render("{{FormatCurrency 10}}", new { });
+var result = stubble.Render("{{{FormatCurrency 10}}}", new { });
 
 Assert.Equal("£10.00", result);
 ```

src/Stubble.Helpers/HelperTagParser.cs

@@ -23,27 +23,48 @@ public override bool Match(Processor processor, ref StringSlice slice)
             {
                 throw new System.ArgumentNullException(nameof(processor));
             }
-
             var tagStart = slice.Start - processor.CurrentTags.StartTag.Length;
+            var escapeResult = true;
+            var isTripleMustache = false;
             var index = slice.Start;
 
             while (slice[index].IsWhitespace())
             {
                 index++;
             }
 
+            var match = slice[index];
+            if (match == '&')
+            {
+                escapeResult = false;
+                index++;
+            }
+            else if (match == '{')
+            {
+                escapeResult = false;
+                isTripleMustache = true;
+                index++;
+            }
+
+            while (slice[index].IsWhitespace())
+            {
+                index++;
+            }
+
+            var endTag = isTripleMustache ? '}' + processor.CurrentTags.EndTag : processor.CurrentTags.EndTag;
+
             var nameStart = index;
 
             // Skip whitespace or until end tag
-            while (!slice[index].IsWhitespace() && !slice.Match(processor.CurrentTags.EndTag, index - slice.Start))
+            while (!slice[index].IsWhitespace() && !slice.Match(endTag, index - slice.Start))
             {
                 index++;
             }
 
             var name = slice.ToString(nameStart, index);
 
             // Skip whitespace or until end tag
-            while (slice[index].IsWhitespace() && !slice.Match(processor.CurrentTags.EndTag, index - slice.Start))
+            while (slice[index].IsWhitespace() && !slice.Match(endTag, index - slice.Start))
             {
                 index++;
             }
@@ -60,7 +81,7 @@ public override bool Match(Processor processor, ref StringSlice slice)
                 var argsStart = index;
                 slice.Start = index;
 
-                while (!slice.IsEmpty && !slice.Match(processor.CurrentTags.EndTag))
+                while (!slice.IsEmpty && !slice.Match(endTag))
                 {
                     slice.NextChar();
                 }
@@ -73,15 +94,15 @@ public override bool Match(Processor processor, ref StringSlice slice)
             }
             else
             {
-                while (!slice.IsEmpty && !slice.Match(processor.CurrentTags.EndTag))
+                while (!slice.IsEmpty && !slice.Match(endTag))
                 {
                     slice.NextChar();
                 }
 
                 contentEnd = slice.Start;
             }
 
-            if (!slice.Match(processor.CurrentTags.EndTag))
+            if (!slice.Match(endTag))
             {
                 throw new StubbleException($"Unclosed Tag at {slice.Start.ToString(CultureInfo.InvariantCulture)}");
             }
@@ -92,11 +113,12 @@ public override bool Match(Processor processor, ref StringSlice slice)
                 ContentStartPosition = nameStart,
                 Name = name,
                 Args = argsList,
+                EscapeResult = escapeResult,
                 ContentEndPosition = contentEnd,
-                TagEndPosition = slice.Start + processor.CurrentTags.EndTag.Length,
+                TagEndPosition = slice.Start + endTag.Length,
                 IsClosed = true
             };
-            slice.Start += processor.CurrentTags.EndTag.Length;
+            slice.Start += endTag.Length;
 
             processor.CurrentToken = tag;
             processor.HasSeenNonSpaceOnLine = true;

src/Stubble.Helpers/HelperTagRenderer.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Immutable;
 using System.Globalization;
+using System.Net.Http.Headers;
 using System.Threading.Tasks;
 using Stubble.Core.Contexts;
 using Stubble.Core.Renderers.StringRenderer;
@@ -61,14 +62,23 @@ protected override void Write(StringRender renderer, HelperToken obj, Context co
                     }
 
                     var result = helper.Delegate.Method.Invoke(helper.Delegate.Target, arr);
+
+                    string value = null;
                     if (result is string str)
                     {
-                        renderer.Write(str);
+                        value = str;
                     }
                     else if (result is object)
                     {
-                        renderer.Write(Convert.ToString(result, context.RenderSettings.CultureInfo));
+                        value = Convert.ToString(result, context.RenderSettings.CultureInfo);
                     }
+
+                    if (!context.RenderSettings.SkipHtmlEncoding && obj.EscapeResult && value is object)
+                    {
+                        value = context.RendererSettings.EncodingFuction(value);
+                    }
+
+                    renderer.Write(value);
                 }
             }
         }

src/Stubble.Helpers/HelperToken.cs

@@ -9,13 +9,16 @@ public class HelperToken : InlineToken<HelperToken>, INonSpace
 
         public ImmutableArray<HelperArgument> Args { get; set; }
 
+        public bool EscapeResult { get; set; }
+
         public override bool Equals(HelperToken other) =>
             other is object
             && (other.TagStartPosition, other.TagEndPosition, other.ContentStartPosition, other.ContentEndPosition, other.IsClosed)
                 == (TagStartPosition, TagEndPosition, ContentStartPosition, ContentEndPosition, IsClosed)
             && other.Content.Equals(Content)
             && other.Name.Equals(Name, System.StringComparison.OrdinalIgnoreCase)
-            && CompareHelper.CompareImmutableArraysWithEquatable(Args, other.Args);
+            && CompareHelper.CompareImmutableArraysWithEquatable(Args, other.Args)
+            && other.EscapeResult == EscapeResult;
 
         public override bool Equals(object obj)
             => obj is HelperToken a && Equals(a);
@@ -24,6 +27,6 @@ public override bool Equals(object obj)
         /// </summary>
         /// <returns></returns>
         public override int GetHashCode()
-            => (Name, Args, TagStartPosition, TagEndPosition, ContentStartPosition, ContentEndPosition, Content, IsClosed).GetHashCode();
+            => (Name, Args, TagStartPosition, TagEndPosition, ContentStartPosition, ContentEndPosition, Content, IsClosed, EscapeResult).GetHashCode();
     }
 }

src/Stubble.Helpers/Stubble.Helpers.csproj

@@ -12,13 +12,10 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.CodeAnalysis.FxCopAnalyzers" Version="2.9.7">
-      <PrivateAssets>all</PrivateAssets>
-      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
-    </PackageReference>
+    <PackageReference Include="Microsoft.CodeAnalysis.NetAnalyzers" Version="6.0.0" PrivateAssets="All" />
     <PackageReference Include="Stubble.Core" Version="1.5.4" />
     <PackageReference Include="System.Collections.Immutable" Version="1.5.0" />
-    <PackageReference Include="Nerdbank.GitVersioning" Version="3.0.50" PrivateAssets="All" />
+    <PackageReference Include="Nerdbank.GitVersioning" Version="3.5.119" PrivateAssets="All" />
   </ItemGroup>
 
 </Project>