Development

#3206 (update_element_function and link_to_function quote escaping)

You must first sign up to be able to contribute.

Ticket #3206 (closed defect: fixed)

Opened 8 months ago

Last modified 8 months ago

update_element_function and link_to_function quote escaping

Reported by: nonexpendable Assigned to: fabien
Priority: major Milestone: 1.0.13
Component: helpers Version: 1.0.12
Keywords: ent_quotes update_element_function link_to_function escaping quotes escape html_specialchars Cc:
Qualification: Accepted

Description

link_to_function() escapes double and single quotes via escape_once() into " and ' respectively.

update_element_function() escapes double and single quotes with backslashes via escape_javascript().

the problem is that escape_javascript() doesn't look for " or ' and they aren't properly escaped.

example code: 

update_element_function('blahblah',array('content'=>link_to_function('blah2',"popUp('product_images/test.jpg', 900, 700, 'image')")));

example code's output: 

$('blahblah').innerHTML = '<a href=\"#\" onclick=\"popUp(&#039;product_images/test.jpg&#039;, 900, 700, &#039;image&#039;); return false;\">blah2</a>';

this problem arose from rev7900 when ENT_QUOTES was added to htmlspecialchars() in escape_once().

this probably applies to other functions that use escape_once() as well because escape_once() is used by _tag_options() which is used by content_tag().

Change History

04/01/08 10:09:07 changed by noel

  • qualification changed from Unreviewed to Accepted.
  • milestone set to 1.0.13.

This will be fixed soon.

04/01/08 10:57:00 changed by nicolas

(In [8177]) Backported r8176 to 1.1 branch (refs #3206)

04/01/08 15:00:31 changed by nicolas

  • status changed from new to closed.
  • resolution set to fixed.

Fixed in r8176 and r8177.