Only allow anonymous function or class-based callback for higher-order sections.

Mustache.php

@@ -229,7 +229,7 @@ class Mustache {
 				case '#':
 
 					// higher order sections
-					if (is_callable($val)) {
+					if ($this->_sectionIsCallable($val)) {
 						$content = call_user_func($val, $content);
 						$replace .= $this->_renderTemplate($content);
 					} else if ($this->_varIsIterable($val)) {
@@ -358,7 +358,6 @@ class Mustache {
 		return (is_array($this->_localPragmas[$pragma_name])) ? $this->_localPragmas[$pragma_name] : array();
 	}
 
-
 	/**
 	 * Check whether this Mustache instance throws a given exception.
 	 *
@@ -548,7 +547,6 @@ class Mustache {
 		$this->_context = $new;
 	}
 
-
 	/**
 	 * Remove the latest context from the stack.
 	 *
@@ -659,6 +657,27 @@ class Mustache {
 	protected function _varIsIterable($var) {
 		return $var instanceof Traversable || (is_array($var) && !array_diff_key($var, array_keys(array_keys($var))));
 	}
+
+	/**
+	 * Higher order sections helper: tests whether the section $var is a valid callback.
+	 *
+	 * In Mustache.php, a variable is considered 'callable' if the variable is:
+	 *
+	 *  1. an anonymous function.
+	 *  2. an object and the name of a public function, i.e. `array($SomeObject, 'methodName')`
+	 *  3. a class name and the name of a public static function, i.e. `array('SomeClass', 'methodName')`
+	 *  4. a static function name in the form `'SomeClass::methodName'`
+	 *
+	 * @access protected
+	 * @param mixed $var
+	 * @return bool
+	 */
+	protected function _sectionIsCallable($var) {
+		if (is_string($var) && (strpos($var, '::') == false)) {
+			return false;
+		}
+		return is_callable($var);
+	}
 }
 
 

test/MustacheHigherOrderSectionsTest.php

@@ -37,14 +37,6 @@ class MustacheHigherOrderSectionsTest extends PHPUnit_Framework_TestCase {
 		);
 	}
 
-	public function testFunctionSectionCallback() {
-		$this->foo->wrapper = 'make_my_logo_bigger';
-		$this->assertEquals(
-			sprintf('<h1>%s</h1>', $this->foo->name),
-			$this->foo->render('{{#wrapper}}{{name}}{{/wrapper}}')
-		);
-	}
-
 	public function testStaticSectionCallback() {
 		$this->foo->trimmer = array(get_class($this->foo), 'staticTrim');
 		$this->assertEquals($this->foo->name, $this->foo->render('{{#trimmer}}    {{name}}    {{/trimmer}}'));
@@ -56,13 +48,8 @@ class MustacheHigherOrderSectionsTest extends PHPUnit_Framework_TestCase {
 	public function testViewArraySectionCallback() {
 		$data = array(
 			'name' => 'Bob',
-			'wrap' => 'make_my_logo_bigger',
 			'trim' => array(get_class($this->foo), 'staticTrim'),
 		);
-		$this->assertEquals(
-			sprintf('<h1>%s</h1>', $data['name']),
-			$this->foo->render('{{#wrap}}{{name}}{{/wrap}}', $data)
-		);
 		$this->assertEquals($data['name'], $this->foo->render('{{#trim}}    {{name}}    {{/trim}}', $data));
 	}
 
@@ -73,13 +60,12 @@ class MustacheHigherOrderSectionsTest extends PHPUnit_Framework_TestCase {
 		}
 		$data = array(
 			'name' => 'Bob',
-			'wrap' => 'make_my_logo_bigger',
-			'anonywrap' => function($text) {
-				return array('[[%s]]', $text);
+			'wrap' => function($text) {
+				return sprintf('[[%s]]', $text);
 			}
 		);
 		$this->assertEquals(
-			sprintf('<h1>%s</h1>', $data['name']),
+			sprintf('[[%s]]', $data['name']),
 			$this->foo->render('{{#wrap}}{{name}}{{/wrap}}', $data)
 		);
 	}
@@ -124,10 +110,6 @@ class Foo extends Mustache {
 	}
 }
 
-function make_my_logo_bigger($text) {
-	return sprintf('<h1>%s</h1>', $text);
-}
-
 class Monster extends Mustache {
 	public $_template = '{{#title}}{{title}} {{/title}}{{name}}';
 	public $title;