TokenSmartyTest - Add more coverage re: HTML escaping of data

diff --git a/tests/phpunit/CRM/Core/TokenSmartyTest.php b/tests/phpunit/CRM/Core/TokenSmartyTest.php
index 7bf7b89da11b1d54596f7d2bc975ce0ec17c1e17..193b4a7c9de1fdb0b9028d08d53f0573f5851da2 100644 (file)
--- a/tests/phpunit/CRM/Core/TokenSmartyTest.php
+++ b/tests/phpunit/CRM/Core/TokenSmartyTest.php
@@ -132,6 +132,21 @@ class CRM_Core_TokenSmartyTest extends CiviUnitTestCase {
     ];
   }
 
+  public function testTokenDataEscape() {
+    $cutesyContactId = $this->individualCreate([
+      'first_name' => 'Ivan\'s "The Ter<r>ib`le"',
+    ]);
+    $rendered = CRM_Core_TokenSmarty::render(
+      [
+        'msg_html' => 'First name is <b>{contact.first_name}</b>.',
+        'msg_text' => 'First name is __{contact.first_name}__.',
+      ],
+      ['contactId' => $cutesyContactId]
+    );
+    $this->assertEquals('First name is <b>Ivan&#039;s &quot;The Ter&lt;r&gt;ib`le&quot;</b>.', $rendered['msg_html']);
+    $this->assertEquals('First name is __Ivan\'s "The Ter<r>ib`le"__.', $rendered['msg_text']);
+  }
+
   /**
    * Someone malicious gives cutesy expressions (via token-content) that tries to provoke extra evaluation.
    */