Escape parameter on generated response

Author: Jérémy Derussé

HttpCache/Esi.php

@@ -236,9 +236,9 @@ private function handleEsiIncludeTag($attributes)
             throw new \RuntimeException('Unable to process an ESI tag without a "src" attribute.');
         }
 
-        return sprintf('<?php echo $this->esi->handle($this, \'%s\', \'%s\', %s) ?>'."\n",
-            $options['src'],
-            isset($options['alt']) ? $options['alt'] : null,
+        return sprintf('<?php echo $this->esi->handle($this, %s, %s, %s) ?>'."\n",
+            var_export($options['src'], true),
+            var_export(isset($options['alt']) ? $options['alt'] : '', true),
             isset($options['onerror']) && 'continue' == $options['onerror'] ? 'true' : 'false'
         );
     }

Tests/HttpCache/EsiTest.php

@@ -110,6 +110,11 @@ public function testProcess()
         $this->assertEquals('foo <?php echo $this->esi->handle($this, \'...\', \'alt\', true) ?>'."\n", $response->getContent());
         $this->assertEquals('ESI', $response->headers->get('x-body-eval'));
 
+        $response = new Response('foo <esi:comment text="some comment" /><esi:include src="foo\'" alt="bar\'" onerror="continue" />');
+        $esi->process($request, $response);
+
+        $this->assertEquals("foo <?php echo \$this->esi->handle(\$this, 'foo\\'', 'bar\\'', true) ?>"."\n", $response->getContent());
+
         $response = new Response('foo <esi:include src="..." />');
         $esi->process($request, $response);