[TYPO3-core] RFC: pi_openAtagHrefInJSwindow() applies htmlspecialchars() twice
Martin Kutschker
Martin.Kutschker at n0spam-blackbox.net
Tue Nov 7 12:51:26 CET 2006
Michael Stucki schrieb:
> This is a SVN patch request.
>
> Problem:
> The input string for pi_openAtagHrefInJSwindow() needs to be an complete <a
> href=.."> element, so it is clear that this must have htmlspecialchars()
> applied. However, when sending out the resulting JavaScript link, the whole
> content is sent through htmlspecialchars() again.
>
> Solution:
> I have removed the htmlspecialchars() call around the full output string but
> added two new ones for $winName and $winParams only.
Not tested, but...
If the return value of pi_openAtagHrefInJSwindow() gets hsc'd later on then
it won't matter if you hsc everything or only parts.
I fail to see where the double hsc'ing occurs.
Masi
More information about the TYPO3-team-core
mailing list