[TYPO3-core] RFC #1957: Feature: When deleting a record in the BE, MsgBox should show the record label

Martin Kutschker masi-no at spam-typo3.org
Fri Aug 29 20:59:46 CEST 2008


Rob Vonk schrieb:
> Martin Kutschker wrote:
> 
>>
>> You htmlspecialchars() the title twice. Once after you get it and a
>> second time when adding it to the attribute onclick.
> 
> I can explain why i did that :)
> 
> I copied the code from the function 'getRecordTitlePrep' in
> class.t3lib_befunc.php. I posted the code at the end of the message.
> I wasn't sure why they did do that but thought it wouldn't mind so i
> just copied it.

Well, the function itself does a hsc on title, but only once.

>> Also you forgot to escape the string for a JS string. Any ' in the tile
>> will break the JS code. I think there was some code for that in
> t3lib_div.
> 
> There's indeed a function for that: slashJS but the htmlentities will
> take care of the quotes:
> 
> http://php.nederland.net/manual/en/function.htmlentities.php

I don't suggest it as it works only on a small list of character sets.
What you may want is to use the ENT_QUOTES mode (applies both to
htmlspeacialchars and htmlentities).

> I verified by adding a ' to a title and it works as expected.

Let's use slashJS to be on the safe side with all browsers. Reason: HTML
entities should be processed prior to evaluating the JS code.

> Who can/may add these to the local language core?

Find the file that contains the existing messages and add a label.

Masi


More information about the TYPO3-team-core mailing list