From 640c445fa3502b1756bd4c2e4d3aacba25f2c3ad Mon Sep 17 00:00:00 2001
From: Malte Wunsch <mw@webfactory.de>
Date: Wed, 30 Oct 2024 11:14:30 +0100
Subject: [PATCH] Validate controller references with scope resolution operator
 stricter

---
 src/Handler/EmbeddedShortcodeHandler.php          | 2 +-
 tests/Functional/EmbeddedShortcodeHandlerTest.php | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/Handler/EmbeddedShortcodeHandler.php b/src/Handler/EmbeddedShortcodeHandler.php
index d42fbd2..4c1509e 100644
--- a/src/Handler/EmbeddedShortcodeHandler.php
+++ b/src/Handler/EmbeddedShortcodeHandler.php
@@ -103,7 +103,7 @@ private function validateControllerName(string $controllerName): void
         }
 
         $callableFragments = explode('::', $controllerName);
-        if (!\is_array($callableFragments) || !isset($callableFragments[1]) || !method_exists($callableFragments[0], $callableFragments[1])) {
+        if (!\is_array($callableFragments) || count($callableFragments) !== 2 || !method_exists($callableFragments[0], $callableFragments[1])) {
             throw new InvalidArgumentException('The controller method: "'.$controllerName.'" does not exist.');
         }
     }
diff --git a/tests/Functional/EmbeddedShortcodeHandlerTest.php b/tests/Functional/EmbeddedShortcodeHandlerTest.php
index b814d63..23a7476 100644
--- a/tests/Functional/EmbeddedShortcodeHandlerTest.php
+++ b/tests/Functional/EmbeddedShortcodeHandlerTest.php
@@ -93,6 +93,7 @@ public static function provideControllerNames(): Generator
         yield 'Missing method name' => [ShortcodeTestController::class];
         yield 'Not existing method' => [ShortcodeTestController::class.'_notExistingMethod'];
         yield 'Missing class' => ['ThisClassDoesNotExist'];
+        yield 'Valid reference followed by a second scope resolution operator' => [ShortcodeTestController::class.'::test::'];
     }
 
     private function processShortcodes(string $content, ?Request $request = null): string