fix escape filter mozilla#835

devoidfury · Sep 7, 2016 · 5f93be5 · 5f93be5
1 parent a3de5e6
commit 5f93be5
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -26,7 +26,7 @@ Changelog
 * Fix handling of macro arg with default value which shares a name with another
   macro. Merge of [#791](https://github.com/mozilla/nunjucks/pull/791).
 
-* Fix potential cast-related XSS vulnerability in autoescape mode.
+* Fix potential cast-related XSS vulnerability in autoescape mode, and with `escape` filter.
   [#836](https://github.com/mozilla/nunjucks/pull/836)
 
 

diff --git a/src/filters.js b/src/filters.js
@@ -116,10 +116,10 @@ var filters = {
     },
 
     escape: function(str) {
-        if(typeof str === 'string') {
-            return r.markSafe(lib.escape(str));
+        if(str instanceof r.SafeString) {
+            return str;
         }
-        return str;
+        return r.markSafe(lib.escape(str.toString()));
     },
 
     safe: function(str) {

diff --git a/tests/filters.js b/tests/filters.js
@@ -110,6 +110,15 @@
             finish(done);
         });
 
+        it('should work with non-string values', function(done) {
+            var res1 = render('{{ foo | escape }}', {foo: ['<html>']}, { autoescape: false });
+            expect(res1).to.be('&lt;html&gt;');
+
+            var res2 = render('{{ foo | escape }}', {foo: {toString: function() { return '<html>'; }}}, { autoescape: false });
+            expect(res2).to.be('&lt;html&gt;');
+            finish(done);
+        });
+
         it('should not escape safe strings with autoescape on', function(done) {
             var res1 = render('{{ "<html>" | safe | escape }}', {}, { autoescape: true });
             expect(res1).to.be('<html>');