From ac77a36c072fe08afb12bfc36db461f60d014b67 Mon Sep 17 00:00:00 2001
From: stephann <3025661+stephannv@users.noreply.github.com>
Date: Mon, 9 Sep 2024 09:33:37 -0300
Subject: [PATCH] fix: Content argument safety

---
 spec/blueprint/html/safety_spec.cr      | 12 +++++++++++-
 src/blueprint/html/element_registrar.cr |  6 +++---
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/spec/blueprint/html/safety_spec.cr b/spec/blueprint/html/safety_spec.cr
index 61f84ef..c580a78 100644
--- a/spec/blueprint/html/safety_spec.cr
+++ b/spec/blueprint/html/safety_spec.cr
@@ -5,6 +5,7 @@ private class DummyPage
 
   private def blueprint
     span { "<script>alert('hello')</script>" }
+    span "<script>alert('content')</script>"
     plain "<script>alert('Plain Text')</script>"
     render(DummyComponent.new) { "<script>alert('DummyComponent')</script>" }
     div(class: "some-class\" onblur=\"alert('Attribute')")
@@ -21,7 +22,7 @@ private class DummyComponent
 end
 
 describe "Blueprint::HTML safety" do
-  it "escapes content passed to tags" do
+  it "escapes content passed to tags via block" do
     page = DummyPage.new
     expected_html = <<-HTML.strip
       <span>&lt;script&gt;alert(&#39;hello&#39;)&lt;/script&gt;</span>
@@ -30,6 +31,15 @@ describe "Blueprint::HTML safety" do
     page.to_html.should contain(expected_html)
   end
 
+  it "escapes content passed to tags via argument" do
+    page = DummyPage.new
+    expected_html = <<-HTML.strip
+      <span>&lt;script&gt;alert(&#39;content&#39;)&lt;/script&gt;</span>
+    HTML
+
+    page.to_html.should contain(expected_html)
+  end
+
   it "escapes plain text" do
     page = DummyPage.new
     expected_html = <<-HTML.strip
diff --git a/src/blueprint/html/element_registrar.cr b/src/blueprint/html/element_registrar.cr
index f6d214c..e83a7ae 100644
--- a/src/blueprint/html/element_registrar.cr
+++ b/src/blueprint/html/element_registrar.cr
@@ -7,7 +7,7 @@ module Blueprint::HTML
     end
 
     private def {{method_name.id}}(**attributes) : Nil
-      element({{tag}}, **attributes) { "" }
+      element({{tag}}, "", **attributes)
     end
 
     private def {{method_name.id}}(__content__ : String, **attributes) : Nil
@@ -19,7 +19,7 @@ module Blueprint::HTML
     {% tag ||= method_name.tr("_", "-") %}
 
     private def {{method_name.id}}(**attributes) : Nil
-      element({{tag}}, **attributes) { "" }
+      element({{tag}}, "", **attributes)
     end
   end
 
@@ -47,7 +47,7 @@ module Blueprint::HTML
     @buffer << _tag_name
     @buffer << parse_attributes(attributes)
     @buffer << ">"
-    @buffer << __content__
+    ::HTML.escape(__content__, @buffer)
     @buffer << "</"
     @buffer << _tag_name
     @buffer << ">"