[TYPO3-core] RFC: Bug 1030, 277, 1472 possibly 1270
René Fritz
rene at typo3.org
Wed Feb 15 10:40:09 CET 2006
> Bernhard and René,
>
> can you please discuss if this needs to be changed?
We did
onclick needs to be hsc'ed:
<a href="#" onclick="'.htmlspecialchars($usedHere).'">
But please note that quoteJSvalue() do that already by default.
There's one place in browse_links which needs htmlspecialchars() which I
commit soon. Other places are roughly checked and seems to be ok.
Anyway I still think the second parameter quoteJSvalue() should be changed
* @param string The string to encode.
* @param boolean If the values get's used in <script> tags.
* @return string The encoded value already quoted
*/
function quoteJSvalue($value, $inScriptTags = false) {
$value = addcslashes($value, '\''.chr(10).chr(13));
if (!$inScriptTags) {
$value = htmlspecialchars($value);
}
return '\''.$value.'\'';
}
My suggestion:
function quoteJSvalue($value, $hsc = false) {
$value = addcslashes($value, '\''.chr(10).chr(13));
if ($hsc) {
$value = htmlspecialchars($value);
}
return '\''.$value.'\'';
}
But this might be confusing for me only. My brain twists with the double
negation of
$inScriptTags = false
and
if (!$inScriptTags)
which in fact do something when it is set to false.
René
--
René Fritz
TYPO3 Association - Active Member
http://association.typo3.org/
More information about the TYPO3-team-core
mailing list