[TYPO3-core] RFC: Bug 1030, 277, 1472 possibly 1270
René Fritz
rene at typo3.org
Thu Feb 9 17:17:48 CET 2006
> Description:
> The good old unescape(rawurlencode(...)) problem :)
> If JS is enclosed in <script> tags no htmlspecialchars get translated to
> their entities when encountered in strings. So you can write anything in a
> JS string enclosed in <script> tags and single quotes ' for example except
> other single quotes ... they must get escaped by a backslash. Stanislas
> noted that there are also problems with newlines but not with utf-8
> entities or similar special characters.
>
> The reason for this is that content of <script> tags are of the HTML-DTD
> type CDATA by default.
Hi Bernard
I just crwled into browse_links.php and found following code which confuses
me. Maybe this is a bug or you have to explain to me how JS in attributes
like onclick has to be formatted.
function wrapTitle($title,$v,$ext_pArrPages) {
if ($ext_pArrPages) {
$ficon=t3lib_iconWorks::getIcon('pages',$v);
$onClick = "return insertElement('pages', '".$v['uid']."', 'db',
".t3lib_div::quoteJSvalue($v['title']).", '', '', '".$ficon."','',1);";
} else {
$onClick = 'return jumpToUrl(\'browse_links.php?act='.
$GLOBALS['SOBE']->act.'&mode='.$GLOBALS['SOBE']->mode.'&expandPage='.
$v['uid'].'\');';
}
return '<a href="#" onclick="'.$onClick.'">'.$title.'</a>';
}
The second onclick includes "&" which has to be htmlspecialchars($onClick), or
not?
I think you removed htmlspecialchars() because t3lib_div::quoteJSvalue() do
that already for the upper value.
Could you please clarify this. Is htmlspecialchars() needed in onclick or not?
Thanks
René
--
René Fritz
TYPO3 Association - Active Member
http://association.typo3.org/
More information about the TYPO3-team-core
mailing list