fix escape filter #835

mozilla · Sep 7, 2016 · 038ba1e · 038ba1e
1 parent 969c194
commit 038ba1e
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,7 +5,7 @@ Changelog
 2.4.3 (Sep 7 2016)
 ----------------
 
-* Fix potential cast-related XSS vulnerability in autoescape mode.
+* Fix potential cast-related XSS vulnerability in autoescape mode, and with `escape` filter.
   [#836](https://github.com/mozilla/nunjucks/pull/836)
 
 2.4.2 (Apr 15 2016)

diff --git a/src/filters.js b/src/filters.js
@@ -116,10 +116,10 @@ var filters = {
     },
 
     escape: function(str) {
-        if(typeof str === 'string') {
-            return r.markSafe(lib.escape(str));
+        if(str instanceof r.SafeString) {
+            return str;
         }
-        return str;
+        return r.markSafe(lib.escape(str.toString()));
     },
 
     safe: function(str) {

diff --git a/tests/filters.js b/tests/filters.js
@@ -110,6 +110,15 @@
             finish(done);
         });
 
+        it('should work with non-string values', function(done) {
+            var res1 = render('{{ foo | escape }}', {foo: ['<html>']}, { autoescape: false });
+            expect(res1).to.be('&lt;html&gt;');
+
+            var res2 = render('{{ foo | escape }}', {foo: {toString: function() { return '<html>'; }}}, { autoescape: false });
+            expect(res2).to.be('&lt;html&gt;');
+            finish(done);
+        });
+
         it('should not escape safe strings with autoescape on', function(done) {
             var res1 = render('{{ "<html>" | safe | escape }}', {}, { autoescape: true });
             expect(res1).to.be('<html>');