Latte: escape url in css in style attribute

[hrach]

<div style="background-image: url({$img});">

escapes output almost correctly, but the escape of space is missing.

<div style="background-image: url(\/\/img\.example\.com\/upload\/test file\.jpg);">

nette 06c27ba

[hrach]

cc @dg do you know how to fix this?

[mishak87]

This looks fishy.

Some characters appearing in an unquoted URI, such as parentheses, white space characters, single quotes (') and double quotes ("), must be escaped with a backslash so that the resulting URI value is a URI token: '(', ')'.
CSS2

Dot and forward slash should not be escaped, also whitespace before and after value is allowed so it should not be escaped either.

Since it allows for unclear interpretation, there should be escaping context CSS PLAIN URL (escape whitespace, parenthesis, quote, double quote and maybe backslash), CSS QUOTED STRING (escape quote and backslash) and CSS DOUBLE QUOTED STRING (escape double quote and backslash) with according escaping.

I am not sure what is implemented, take this as a checklist.

[JanTvrdik]

The whole escapeCss does not work properly, because there are many possible contexts in CSS alone and we recognize only one.

[hrach]

cc @dg do you plan to fix this? otherwise I would close it...

[dg]

I do not want to develop CSS parser, so the question is whether to start escaping whitespace globally in CSS is OK or not. The opposite problem #1512

[hrach]

if I recall it correctly, <div style="background-image: url('{$img}');"> fixes the issue.