Make Options, HelperOptions, and SafeString final

theodorejb · theodorejb · commit 59caa321dc0b · 2026-04-02T15:39:56.000-05:00
diff --git a/src/HelperOptions.php b/src/HelperOptions.php
@@ -14,7 +14,7 @@ enum Scope
 /**
  * @phpstan-import-type Template from Handlebars
  */
-class HelperOptions
+final class HelperOptions
 {
     /**
      * @param array<mixed> $data
@@ -46,7 +46,7 @@ public function hasPartial(string $name): bool
      * Typically used alongside hasPartial() to implement lazy partial loading.
      * @param Template $partial
      */
-    public function registerPartial(string $name, \Closure $partial): void
+    public function registerPartial(string $name, Closure $partial): void
     {
         $this->cx->partials[$name] = $partial;
     }
@@ -69,6 +69,7 @@ public function fn(mixed $context = Scope::Use, mixed $data = null): string
             if ($this->inv === null) {
                 throw new \Exception('fn() is not supported for inline helpers');
             }
+            // Occurs when blockHelperMissing routes a truthy context through fn() for an inverted block.
             return '';
         }
         return $this->invokeBlock($this->cb, $context, $data);
@@ -85,7 +86,7 @@ public function inverse(mixed $context = Scope::Use, mixed $data = null): string
         return $this->invokeBlock($this->inv, $context, $data);
     }
 
-    private function invokeBlock(\Closure $closure, mixed $context, mixed $data): string
+    private function invokeBlock(Closure $closure, mixed $context, mixed $data): string
     {
         $cx = $this->cx;
         // Save inlinePartials so that any {{#* inline}} partials registered inside the block body
diff --git a/src/Options.php b/src/Options.php
@@ -4,7 +4,7 @@
 
 use Closure;
 
-readonly class Options
+final readonly class Options
 {
     /** @var array<string, bool> */
     public array $knownHelpers;
@@ -27,6 +27,6 @@ public function __construct(
         public ?Closure $partialResolver = null,
     ) {
         $builtIn = ['if' => true, 'unless' => true, 'each' => true, 'with' => true, 'lookup' => true, 'log' => true];
-        $this->knownHelpers = array_replace($builtIn, $knownHelpers);
+        $this->knownHelpers = $knownHelpers ? array_replace($builtIn, $knownHelpers) : $builtIn;
     }
 }
diff --git a/src/SafeString.php b/src/SafeString.php
@@ -4,17 +4,15 @@
 
 /**
  * Can be returned from a custom helper to prevent an HTML string from being escaped
- * when the template is rendered. When constructing, any external content should be
- * properly escaped using Handlebars::escapeExpression() to avoid potential security concerns.
+ * when the template is rendered. Because SafeString bypasses the automatic HTML escaping
+ * that {{ }} applies, any user-supplied content embedded in it must first be escaped with
+ * Handlebars::escapeExpression() to prevent XSS vulnerabilities.
  */
-class SafeString implements \Stringable
+final readonly class SafeString implements \Stringable
 {
-    private string $string;
-
-    public function __construct(string $string)
-    {
-        $this->string = $string;
-    }
+    public function __construct(
+        private string $string,
+    ) {}
 
     public function __toString(): string
     {

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ enum Scope`
`14`	`14`	`/**`
`15`	`15`	`* @phpstan-import-type Template from Handlebars`
`16`	`16`	`*/`
`17`		`-class HelperOptions`
	`17`	`+final class HelperOptions`
`18`	`18`	`{`
`19`	`19`	`/**`
`20`	`20`	`* @param array<mixed> $data`
`@@ -46,7 +46,7 @@ public function hasPartial(string $name): bool`
`46`	`46`	`* Typically used alongside hasPartial() to implement lazy partial loading.`
`47`	`47`	`* @param Template $partial`
`48`	`48`	`*/`
`49`		`- public function registerPartial(string $name, \Closure $partial): void`
	`49`	`+ public function registerPartial(string $name, Closure $partial): void`
`50`	`50`	`{`
`51`	`51`	`$this->cx->partials[$name] = $partial;`
`52`	`52`	`}`
`@@ -69,6 +69,7 @@ public function fn(mixed $context = Scope::Use, mixed $data = null): string`
`69`	`69`	`if ($this->inv === null) {`
`70`	`70`	`throw new \Exception('fn() is not supported for inline helpers');`
`71`	`71`	`}`
	`72`	`+ // Occurs when blockHelperMissing routes a truthy context through fn() for an inverted block.`
`72`	`73`	`return '';`
`73`	`74`	`}`
`74`	`75`	`return $this->invokeBlock($this->cb, $context, $data);`
`@@ -85,7 +86,7 @@ public function inverse(mixed $context = Scope::Use, mixed $data = null): string`
`85`	`86`	`return $this->invokeBlock($this->inv, $context, $data);`
`86`	`87`	`}`
`87`	`88`
`88`		`- private function invokeBlock(\Closure $closure, mixed $context, mixed $data): string`
	`89`	`+ private function invokeBlock(Closure $closure, mixed $context, mixed $data): string`
`89`	`90`	`{`
`90`	`91`	`$cx = $this->cx;`
`91`	`92`	`// Save inlinePartials so that any {{#* inline}} partials registered inside the block body`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`
`5`	`5`	`use Closure;`
`6`	`6`
`7`		`-readonly class Options`
	`7`	`+final readonly class Options`
`8`	`8`	`{`
`9`	`9`	`/** @var array<string, bool> */`
`10`	`10`	`public array $knownHelpers;`
`@@ -27,6 +27,6 @@ public function __construct(`
`27`	`27`	`public ?Closure $partialResolver = null,`
`28`	`28`	`) {`
`29`	`29`	`$builtIn = ['if' => true, 'unless' => true, 'each' => true, 'with' => true, 'lookup' => true, 'log' => true];`
`30`		`- $this->knownHelpers = array_replace($builtIn, $knownHelpers);`
	`30`	`+ $this->knownHelpers = $knownHelpers ? array_replace($builtIn, $knownHelpers) : $builtIn;`
`31`	`31`	`}`
`32`	`32`	`}`