[TYPO3-core] RFC: Bug 1030, 277, 1472 possibly 1270

René Fritz rene at typo3.org
Thu Feb 9 17:17:48 CET 2006


> Description:
> The good old unescape(rawurlencode(...)) problem :)

> If JS is enclosed in <script> tags no htmlspecialchars get translated to
> their entities when encountered in strings. So you can write anything in a
> JS string enclosed in <script> tags and single quotes ' for example except
> other single quotes ... they must get escaped by a backslash. Stanislas
> noted that there are also problems with newlines but not with utf-8
> entities or similar special characters.
>
> The reason for this is that content of <script> tags are of the HTML-DTD
> type CDATA by default.

Hi Bernard

I just crwled into browse_links.php and found following code which confuses 
me. Maybe this is a bug or you have to explain to me how JS in attributes 
like onclick has to be formatted.

function wrapTitle($title,$v,$ext_pArrPages)	{
if ($ext_pArrPages)	{
	$ficon=t3lib_iconWorks::getIcon('pages',$v);
	$onClick = "return insertElement('pages', '".$v['uid']."', 'db', 
".t3lib_div::quoteJSvalue($v['title']).", '', '', '".$ficon."','',1);";
} else {
	$onClick = 'return jumpToUrl(\'browse_links.php?act='.
$GLOBALS['SOBE']->act.'&mode='.$GLOBALS['SOBE']->mode.'&expandPage='.
$v['uid'].'\');';
}
return '<a href="#" onclick="'.$onClick.'">'.$title.'</a>';
}

The second onclick includes "&" which has to be htmlspecialchars($onClick), or 
not?
I think you removed htmlspecialchars() because t3lib_div::quoteJSvalue() do 
that already for the upper value.

Could you please clarify this. Is htmlspecialchars() needed in onclick or not?

Thanks

René

-- 
René Fritz
TYPO3 Association - Active Member
http://association.typo3.org/



More information about the TYPO3-team-core mailing list