diff --git a/Tests/OutputFilterTest.php b/Tests/OutputFilterTest.php
index 1db69661..c522320b 100644
--- a/Tests/OutputFilterTest.php
+++ b/Tests/OutputFilterTest.php
@@ -18,11 +18,9 @@
class FilterTestObject
{
public $string1;
-
public $string2;
-
public $string3;
-
+ public $_string4;
public $array1;
/**
@@ -33,6 +31,7 @@ public function __construct()
$this->string1 = "";
$this->string2 = "This is a test.";
$this->string3 = "";
+ $this->_string4 = "";
$this->array1 = [1, 2, 3];
}
}
@@ -79,6 +78,7 @@ public function testObjectHtmlSafe()
$this->assertEquals('<script>alert();</script>', $this->safeObject->string1, "Script tag should be defused");
$this->assertEquals('This is a test.', $this->safeObject->string2, "Plain text should pass");
$this->assertEquals('', $this->safeObject->string3, "This Script tag should be passed");
+ $this->assertEquals('', $this->safeObject->_string4, "Property which begins with underscore should pass.");
}
/**
@@ -90,6 +90,7 @@ public function testObjectHtmlSafeWithArray()
$this->assertEquals('', $this->safeObject->string1, "Script tag should pass array test");
$this->assertEquals('This is a test.', $this->safeObject->string2, "Plain text should pass array test");
$this->assertEquals('', $this->safeObject->string3, "This Script tag should pass array test");
+ $this->assertEquals('', $this->safeObject->_string4, "Property which begins with underscore should pass array test.");
}
/**
diff --git a/src/OutputFilter.php b/src/OutputFilter.php
index 0bc01d50..d69622f3 100644
--- a/src/OutputFilter.php
+++ b/src/OutputFilter.php
@@ -49,7 +49,7 @@ public static function objectHtmlSafe(&$mixed, $quoteStyle = \ENT_QUOTES, $exclu
if (\is_object($mixed)) {
foreach (get_object_vars($mixed) as $k => $v) {
- if (\is_array($v) || \is_object($v) || $v == null || substr($k, 1, 1) == '_') {
+ if (\is_array($v) || \is_object($v) || $v == null || substr($k, 0, 1) == '_') {
continue;
}