Merge pull request LaravelCollective#469 from crishoj/5.5

Proposal: Escape HTML entities in `src`-attribute
paganuzzi · Feb 5, 2018 · a5f7464 · a5f7464
2 parents cd71ed1 + 1810274
commit a5f7464
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/src/HtmlBuilder.php b/src/HtmlBuilder.php
@@ -162,7 +162,7 @@ public function link($url, $title = null, $attributes = [], $secure = null, $esc
             $title = $this->entities($title);
         }
 
-        return $this->toHtmlString('<a href="' . $url . '"' . $this->attributes($attributes) . '>' . $title . '</a>');
+        return $this->toHtmlString('<a href="' . $this->entities($url) . '"' . $this->attributes($attributes) . '>' . $title . '</a>');
     }
 
     /**

diff --git a/tests/HtmlBuilderTest.php b/tests/HtmlBuilderTest.php
@@ -118,8 +118,11 @@ public function testLink()
 
         $result2 = $this->htmlBuilder->link("http://www.example.com", "<span>Example.com</span>", ["class" => "example-link"], null, false);
 
+        $result3 = $this->htmlBuilder->link("https://a.com/b?id=4&not_id=5", "URL which needs escaping");
+
         $this->assertEquals('<a href="http://www.example.com" class="example-link">&lt;span&gt;Example.com&lt;/span&gt;</a>', $result1);
         $this->assertEquals('<a href="http://www.example.com" class="example-link"><span>Example.com</span></a>', $result2);
+        $this->assertEquals('<a href="https://a.com/b?id=4&amp;not_id=5">URL which needs escaping</a>', $result3);
     }
 
     public function testMailto()
-Original file line number
+Diff line change
@@ Expand Up @@
                 $title = $this->entities($title);
             }
-            return $this->toHtmlString('<a href="' . $url . '"' . $this->attributes($attributes) . '>' . $title . '</a>');
+            return $this->toHtmlString('<a href="' . $this->entities($url) . '"' . $this->attributes($attributes) . '>' . $title . '</a>');
         }
         /**
@@ Expand Down @@