[TYPO3-core] RFC: Bug 1030, 277, 1472 possibly 1270
Michael Stucki
michael at typo3.org
Fri Feb 24 18:46:51 CET 2006
Sorry for insisting. It seems this has still not been changed.
Bernhard and René, can you please solve that?
- michael
René Fritz wrote:
>
>> Bernhard and René,
>>
>> can you please discuss if this needs to be changed?
>
> We did
>
> onclick needs to be hsc'ed:
> <a href="#" onclick="'.htmlspecialchars($usedHere).'">
> But please note that quoteJSvalue() do that already by default.
>
> There's one place in browse_links which needs htmlspecialchars() which I
> commit soon. Other places are roughly checked and seems to be ok.
>
>
>
> Anyway I still think the second parameter quoteJSvalue() should be changed
>
> * @param string The string to encode.
> * @param boolean If the values get's used in <script> tags.
> * @return string The encoded value already quoted
> */
> function quoteJSvalue($value, $inScriptTags = false) {
> $value = addcslashes($value, '\''.chr(10).chr(13));
> if (!$inScriptTags) {
> $value = htmlspecialchars($value);
> }
> return '\''.$value.'\'';
> }
>
>
> My suggestion:
>
> function quoteJSvalue($value, $hsc = false) {
> $value = addcslashes($value, '\''.chr(10).chr(13));
> if ($hsc) {
> $value = htmlspecialchars($value);
> }
> return '\''.$value.'\'';
> }
>
> But this might be confusing for me only. My brain twists with the double
> negation of
> $inScriptTags = false
> and
> if (!$inScriptTags)
> which in fact do something when it is set to false.
>
> René
>
--
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/
More information about the TYPO3-team-core
mailing list