Skip to content

[BUGFIX] Do not escape characters that do not need escaping in CSS string #1444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JakeQZ merged 15 commits into from
Jan 18, 2026
Merged

[BUGFIX] Do not escape characters that do not need escaping in CSS string #1444

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
c8b4e76
[FEATURE] Do not escape characters that do not need escaping in CSS s…
8ctopus Dec 25, 2025
be7ede6
[TASK] Cleanup code formatting
8ctopus Jan 8, 2026
1aa4926
[TASK] Add do not escape characters that do not need escaping test
8ctopus Jan 8, 2026
1611d76
[TASK] Cleanup code formatting
8ctopus Jan 8, 2026
99d61b3
[TASK] Cleanup code formatting
8ctopus Jan 8, 2026
c942c34
[TASK] Clean up code
8ctopus Jan 9, 2026
ce0f031
[TASK] Add one more test to test css string escaping
8ctopus Jan 9, 2026
cfad5c5
Switch to `addclashes`
oliverklee Jan 17, 2026
a7b65ba
Update tests/Unit/Value/CSSStringTest.php
oliverklee Jan 17, 2026
69e1ce1
Update tests/Unit/Value/CSSStringTest.php
oliverklee Jan 17, 2026
e01569e
Update tests/Unit/Value/CSSStringTest.php
oliverklee Jan 17, 2026
3f03f43
Fix formatting
oliverklee Jan 17, 2026
a23c5be
Narrow type
oliverklee Jan 17, 2026
56e605e
Update tests/Unit/Value/CSSStringTest.php
oliverklee Jan 17, 2026
0d120d5
Keep changelog entry in the not-yet-released release
oliverklee Jan 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ Please also have a look at our

### Fixed

- Do not escape characters that do not need escaping in CSS string (#1444)
- Reject selector comprising only whitespace (#1433)
- Improve recovery parsing when a rogue `}` is encountered (#1425, #1426)
- Parse comment(s) immediately preceding a selector (#1421, #1424)
Expand Down
13 changes: 12 additions & 1 deletion src/Value/CSSString.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ public function getString(): string
*/
public function render(OutputFormat $outputFormat): string
{
$string = \addslashes($this->string);
$string = $this->escape($this->string, $outputFormat->getStringQuotingType());
$string = \str_replace("\n", '\\A', $string);
Copy link
Collaborator

@JakeQZ JakeQZ Jan 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should move this to the new escape method as a post-PR. Or maybe it can be done as part of this PR, as I've just spotted an issue with the changelog that also needs resolving.

Copy link
Collaborator

@oliverklee oliverklee Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer to have this as a post-PR cleanup as I still don't fully understand the \\A thing.

Copy link
Collaborator

@oliverklee oliverklee Jan 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#1466

return $outputFormat->getStringQuotingType() . $string . $outputFormat->getStringQuotingType();
}
Expand All @@ -111,4 +111,15 @@ public function getArrayRepresentation(): array
'contents' => $this->string,
];
}

/**
* @param "'"|'"' $quote
*/
private function escape(string $string, string $quote): string
{
$charactersToEscape = '\\';
$charactersToEscape .= ($quote === '"' ? '"' : "'");

return \addcslashes($string, $charactersToEscape);
}
}
4 changes: 2 additions & 2 deletions tests/ParserTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,10 +206,10 @@ public function unicodeParsing(): void
self::assertSame('"\\"\\""', $firstContentRuleAsString);
}
if ($selector === '.test-9') {
self::assertSame('"\\"\\\'"', $firstContentRuleAsString);
self::assertSame('"\\"\'"', $firstContentRuleAsString);
}
if ($selector === '.test-10') {
self::assertSame('"\\\'\\\\"', $firstContentRuleAsString);
self::assertSame('"\'\\\\"', $firstContentRuleAsString);
}
if ($selector === '.test-11') {
self::assertSame('"test"', $firstContentRuleAsString);
Expand Down
39 changes: 39 additions & 0 deletions tests/Unit/Value/CSSStringTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
namespace Sabberworm\CSS\Tests\Unit\Value;

use PHPUnit\Framework\TestCase;
use Sabberworm\CSS\OutputFormat;
use Sabberworm\CSS\Value\CSSString;
use Sabberworm\CSS\Value\PrimitiveValue;
use Sabberworm\CSS\Value\Value;
Expand Down Expand Up @@ -107,4 +108,42 @@ public function getArrayRepresentationIncludesContents(): void
self::assertArrayHasKey('contents', $result);
self::assertSame($contents, $result['contents']);
}

/**
* @test
*/
public function doesNotEscapeSingleQuotesThatDoNotNeedToBeEscaped(): void
{
$input = "data:image/svg+xml,%3Csvg width='24' height='24' viewBox='0 0 24 24' fill='none'" .
" xmlns='http://www.w3.org/2000/svg'%3E%3Cpath fill-rule='evenodd' clip-rule='evenodd'" .
" d='M14.3145 2 3V11.9987H17.5687L18 8.20761H14.3145L14.32 6.31012C14.32 5.32134 14.4207" .
' 4.79153 15.9426 4.79153H17.977V1H14.7223C10.8129 1 9.43687 2.83909 9.43687 ' .
" 5.93187V8.20804H7V11.9991H9.43687V23H14.3145Z' fill='black'/%3E%3C/svg%3E%0A";

$outputFormat = OutputFormat::createPretty();

self::assertSame("\"{$input}\"", (new CSSString($input))->render($outputFormat));

$outputFormat->setStringQuotingType("'");

$expected = str_replace("'", "\\'", $input);

self::assertSame("'{$expected}'", (new CSSString($input))->render($outputFormat));
}

/**
* @test
*/
public function doesNotEscapeDoubleQuotesThatDoNotNeedToBeEscaped(): void
{
$input = '"Hello World"';

$outputFormat = OutputFormat::createPretty();

self::assertSame('"\\"Hello World\\""', (new CSSString($input))->render($outputFormat));

$outputFormat->setStringQuotingType("'");

self::assertSame("'{$input}'", (new CSSString($input))->render($outputFormat));
}
}
2 changes: 1 addition & 1 deletion tests/fixtures/unicode.css
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
.test-6 { content: "\00A5" } /* Same as "¥" */
.test-7 { content: '\a' } /* Same as "\A" (Newline) */
.test-8 { content: "\"\22" } /* Same as "\"\"" */
.test-9 { content: "\"\27" } /* Same as ""\"\'"" */
.test-9 { content: "\"\27" } /* Same as "\"'" */
.test-10 { content: "\'\\" } /* Same as "'\" */
.test-11 { content: "\test" } /* Same as "test" */

Expand Down