From c30111eee3c51042e9a769f04c3d7370607ec688 Mon Sep 17 00:00:00 2001
From: Damian Mooyman <damian@silverstripe.com>
Date: Wed, 2 Apr 2014 17:19:14 +1300
Subject: [PATCH] Better encoding of javascript Fixes #2988

---
 core/Convert.php           |  7 ++++-
 tests/core/ConvertTest.php | 52 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 58 insertions(+), 1 deletion(-)

diff --git a/core/Convert.php b/core/Convert.php
index 94c6234c0..819d2abd0 100644
--- a/core/Convert.php
+++ b/core/Convert.php
@@ -89,7 +89,12 @@ class Convert {
 			foreach($val as $k => $v) $val[$k] = self::raw2js($v);
 			return $val;
 		} else {
-			return str_replace(array("\\", '"', "\n", "\r", "'"), array("\\\\", '\"', '\n', '\r', "\\'"), $val);
+			return str_replace(
+				// Intercepts some characters such as <, >, and & which can interfere
+				array("\\", '"', "\n", "\r", "'", "<", ">", "&"),
+				array("\\\\", '\"', '\n', '\r', "\\'", "\\x3c", "\\x3e", "\\x26"),
+				$val
+			);
 		}
 	}
 
diff --git a/tests/core/ConvertTest.php b/tests/core/ConvertTest.php
index 0c5756718..35141940d 100644
--- a/tests/core/ConvertTest.php
+++ b/tests/core/ConvertTest.php
@@ -186,4 +186,56 @@ class ConvertTest extends SapphireTest {
 			);
 		}
 	}
+	
+	public function testRaw2JS() {
+		// Test attempt to break out of string
+		$this->assertEquals(
+			'\\"; window.location=\\"http://www.google.com',
+			Convert::raw2js('"; window.location="http://www.google.com')
+		);
+		$this->assertEquals(
+			'\\\'; window.location=\\\'http://www.google.com',
+			Convert::raw2js('\'; window.location=\'http://www.google.com')
+		);
+		// Test attempt to close script tag
+		$this->assertEquals(
+			'\\"; \\x3c/script\\x3e\\x3ch1\\x3eHa \\x26amp; Ha\\x3c/h1\\x3e\\x3cscript\\x3e',
+			Convert::raw2js('"; </script><h1>Ha &amp; Ha</h1><script>')
+		);
+		// Test newlines are properly escaped
+		$this->assertEquals(
+			'New\\nLine\\rReturn', Convert::raw2js("New\nLine\rReturn")
+		);
+		// Check escape of slashes
+		$this->assertEquals(
+			'\\\\\\"\\x3eClick here',
+			Convert::raw2js('\\">Click here')
+		);
+	}
+	
+	public function testRaw2JSON() {
+		
+		// Test object
+		$input = new stdClass();
+		$input->Title = 'My Object';
+		$input->Content = '<p>Data</p>';
+		$this->assertEquals(
+			'{"Title":"My Object","Content":"<p>Data<\/p>"}',
+			Convert::raw2json($input)
+		);
+		
+		// Array
+		$array = array('One' => 'Apple', 'Two' => 'Banana');
+		$this->assertEquals(
+			'{"One":"Apple","Two":"Banana"}',
+			Convert::raw2json($array)
+		);
+		
+		// String value with already encoded data. Result should be quoted.
+		$value = '{"Left": "Value"}';
+		$this->assertEquals(
+			'"{\\"Left\\": \\"Value\\"}"',
+			Convert::raw2json($value)
+		);
+	}
 }