MDL-68066 output: Apply disable lambda rendering to Mustache renderer

2025-08-04 16:36:37 +02:00 · 2022-08-19 14:34:09 +08:00 · 2022-08-19 14:34:09 +08:00 · c43123adde
commit c43123adde
parent fcbb645671
3 changed files with 11 additions and 22 deletions
--- a/lib/mustache/readme_moodle.txt
+++ b/lib/mustache/readme_moodle.txt
@ -17,3 +17,6 @@ Local changes:
 Note: All this changes need to be reviewed on every upgrade and, if they have
 been already applied upstream for the release being used, can be removed
 from the list. If still not available upstream, they will need to be re-applied.
+
+1) If the relevant pull request has not been accepted yet, apply the following commit, so we are able to disable unnecessary rendering:
+    https://github.com/bobthecow/mustache.php/pull/402/commits/db771014c7e346438f68077813ebdda3fdae12df#
--- a/lib/outputrenderers.php
+++ b/lib/outputrenderers.php
@ -135,7 +135,10 @@ class renderer_base {
                // Don't allow the JavaScript helper to be executed from within another
                // helper. If it's allowed it can be used by users to inject malicious
                // JS into the page.
-                'disallowednestedhelpers' => ['js']));
+                'disallowednestedhelpers' => ['js'],
+                // Disable lambda rendering - content in helpers is already rendered, no need to render it again.
+                'disable_lambda_rendering' => true,
+            ));

        }

--- a/lib/tests/core_renderer_template_exploit_test.php
+++ b/lib/tests/core_renderer_template_exploit_test.php
@ -88,7 +88,7 @@ class core_renderer_template_exploit_test extends \advanced_testcase {
                    'test1' => $norender,
                ],
                'js' => 'some nasty JS',
-                'expected' => 'core, move,  some text',
+                'expected' => 'core, move,  some text {{}}',
                'include' => false
            ],
            'js helper not nested' => [
@ -131,7 +131,7 @@ class core_renderer_template_exploit_test extends \advanced_testcase {
                    'testpix' => $singlerender
                ],
                'js' => 'some nasty JS',
-                'expected' => 'core, move,',
+                'expected' => 'core, move, {{}}',
                'include' => false
            ],
            'js in context double depth with single render' => [
@ -147,7 +147,7 @@ class core_renderer_template_exploit_test extends \advanced_testcase {
                    'testpix' => $singlerender
                ],
                'js' => 'some nasty JS',
-                'expected' => 'core, move, {{#js}} some nasty JS {{/js}}',
+                'expected' => 'core, move, {{second}}',
                'include' => false
            ],
            'js in context double depth with recursive render' => [
@ -267,24 +267,7 @@ class core_renderer_template_exploit_test extends \advanced_testcase {
                    'testpix' => $singlerender
                ],
                'js' => 'some nasty JS',
-                'expected' => 'core, move,',
-                'include' => false
-            ],
-            'partial double nested with js from context single render' => [
-                'templates' => [
-                    'test' => '{{#testpix}} core, move, {{foo}}{{/testpix}}',
-                    'test2' => '{{#js}} some nasty JS {{/js}}',
-                ],
-                'torender' => 'test',
-                'context' => [
-                    'foo' => '{{{bar}}}',
-                    'bar' => '{{> test2}}'
-                ],
-                'helpers' => [
-                    'testpix' => $singlerender
-                ],
-                'js' => 'some nasty JS',
-                'expected' => 'core, move, {{> test2}}',
+                'expected' => 'core, move, {{&gt; test2}}',
                'include' => false
            ],
            'partial double nested with js from context recursive render' => [