fix: bug that esc() accepts invalid context '0'

2025-02-20 11:44:28 +08:00 · 2022-10-20 10:50:51 +09:00 · 2022-10-20 10:50:51 +09:00 · 811c4a7306
commit 811c4a7306
parent 7a631a134b
2 changed files with 7 additions and 1 deletions
--- a/system/Common.php
+++ b/system/Common.php
@ -437,7 +437,7 @@ if (! function_exists('esc')) {
            // Provide a way to NOT escape data since
            // this could be called automatically by
            // the View library.
-            if (empty($context) || $context === 'raw') {
+            if ($context === 'raw') {
                return $data;
            }

--- a/tests/system/CommonFunctionsTest.php
+++ b/tests/system/CommonFunctionsTest.php
@ -177,6 +177,12 @@ final class CommonFunctionsTest extends CIUnitTestCase
        esc(['width' => '800', 'height' => '600'], 'bogus');
    }

+    public function testEscapeBadContextZero()
+    {
+        $this->expectException('InvalidArgumentException');
+        esc('<script>', '0');
+    }
+
    /**
     * @runInSeparateProcess
     *