From d73cbf1cee2110629184ded814c0a3606c4b3330 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Thu, 30 Dec 2021 11:58:41 -0600
Subject: [PATCH] TokenSmartyTest - Add more coverage re: HTML escaping of data

---
 tests/phpunit/CRM/Core/TokenSmartyTest.php | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/tests/phpunit/CRM/Core/TokenSmartyTest.php b/tests/phpunit/CRM/Core/TokenSmartyTest.php
index 7bf7b89da1..193b4a7c9d 100644
--- a/tests/phpunit/CRM/Core/TokenSmartyTest.php
+++ b/tests/phpunit/CRM/Core/TokenSmartyTest.php
@@ -132,6 +132,21 @@ class CRM_Core_TokenSmartyTest extends CiviUnitTestCase {
     ];
   }
 
+  public function testTokenDataEscape() {
+    $cutesyContactId = $this->individualCreate([
+      'first_name' => 'Ivan\'s "The Ter<r>ib`le"',
+    ]);
+    $rendered = CRM_Core_TokenSmarty::render(
+      [
+        'msg_html' => 'First name is <b>{contact.first_name}</b>.',
+        'msg_text' => 'First name is __{contact.first_name}__.',
+      ],
+      ['contactId' => $cutesyContactId]
+    );
+    $this->assertEquals('First name is <b>Ivan&#039;s &quot;The Ter&lt;r&gt;ib`le&quot;</b>.', $rendered['msg_html']);
+    $this->assertEquals('First name is __Ivan\'s "The Ter<r>ib`le"__.', $rendered['msg_text']);
+  }
+
   /**
    * Someone malicious gives cutesy expressions (via token-content) that tries to provoke extra evaluation.
    */
-- 
2.25.1