*/ private function context(): array { return [ 'title' => 'Security check report', 'customer_name' => 'Acme', 'customer_no' => 'D-100', 'domain' => 'acme.de', 'product' => 'Intranet', 'owner' => 'Jane Doe', 'status_label' => 'In progress', 'generated_at' => '2026-06-22 10:00', 'app_name' => 'CoreCore', 'customer_report' => "Line one\nLine two", 'logo_data_uri' => 'data:image/png;base64,AAAA', 'summary' => ['percent' => 72, 'tech_done' => 2, 'tech_total' => 3], 'tech_sections' => [ ['label' => 'Transport', 'items' => [ ['label' => 'TLS enforced', 'done' => true, 'note' => 'TLS 1.3'], ['label' => 'HSTS header', 'done' => false, 'note' => ''], ]], ], 'steps' => [ ['number' => 1, 'label' => 'Kickoff', 'done' => true, 'completed_at' => '2026-06-18'], ], ]; } public function testRenderSubstitutesScalarsAndEscapesData(): void { $service = new SecurityReportTemplateService(); $out = $service->render( '

{{title}}

who={{customer_name}} dom={{domain}} owner={{owner}} p={{percent}}% src={{logo_src}}', $this->context() ); $this->assertStringContainsString('

Security check report

', $out); $this->assertStringContainsString('dom=acme.de', $out); $this->assertStringContainsString('owner=Jane Doe', $out); $this->assertStringContainsString('p=72%', $out); $this->assertStringContainsString('src=data:image/png;base64,AAAA', $out); // Customer data is HTML-escaped so it cannot break out of the template markup. $this->assertStringContainsString('who=<b>Acme</b>', $out); $this->assertStringNotContainsString('Acme', $out); } public function testRenderCustomerReportEscapesAndPreservesLineBreaks(): void { $service = new SecurityReportTemplateService(); $context = $this->context(); $context['customer_report'] = "First line