Switch to default-escaped in templates.

This means any variable used in a template is automatically
HTML-escaped, unless it is marked as safe either in code by
using a SafeString, or in the template with the `mark_safe`
function or the `safe` filter.

1 files changed, 33 insertions, 0 deletions

diff --git a/t/template.t b/t/template.t
new file mode 100644
index 000000000..1763a7f12
--- /dev/null
+++ b/t/template.t
@@ -0,0 +1,33 @@
+use FixMyStreet::Test;
+
+use_ok 'FixMyStreet::Template';
+
+my $tt = FixMyStreet::Template->new;
+
+my $output = '';
+$tt->process(\'[% s %] [% s | safe %] [% s | upper %] [% s | html %]', {
+    s => 'sp<i>l</i>it'
+}, \$output);
+is $output, 'sp&lt;i&gt;l&lt;/i&gt;it sp<i>l</i>it SP&lt;I&gt;L&lt;/I&gt;IT sp&lt;i&gt;l&lt;/i&gt;it';
+
+$output = '';
+$tt->process(\'[% s | html_para %]', { s => 'sp<i>l</i>it' }, \$output);
+is $output, "<p>\nsp&lt;i&gt;l&lt;/i&gt;it</p>\n";
+
+$output = '';
+$tt->process(\'[% loc("s") %] [% loc("s") | html_para %]', {}, \$output);
+is $output, "s <p>\ns</p>\n";
+
+$output = '';
+$tt->process(\'[% s.upper %] [% t = s %][% t %] [% t.upper %]', {
+    s => 'sp<i>l</i>it'
+}, \$output);
+is $output, 'SP&lt;I&gt;L&lt;/I&gt;IT sp&lt;i&gt;l&lt;/i&gt;it SP&lt;I&gt;L&lt;/I&gt;IT';
+
+$output = '';
+$tt->process(\'H: [% s.split(":").join(",") %]', {
+    s => '1:sp<i>l</i>it:3'
+}, \$output);
+is $output, 'H: 1,sp&lt;i&gt;l&lt;/i&gt;it,3';
+
+done_testing;