Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

escape:javascript bug
Goto page Previous  1, 2
 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Bugs
View previous topic :: View next topic  
Author Message
mohrt
Administrator


Joined: 16 Apr 2003
Posts: 7368
Location: Lincoln Nebraska, USA

PostPosted: Tue Sep 14, 2010 1:39 pm    Post subject: Reply with quote

thomaquin wrote:
Is there a way to escape the html entity code for single or doubles quotes using the javascript escape type?

Code:

$smarty->assign( 'name', 'O&#039Toole' );

<a href='#' onclick="add( '{ $name|escape:javascript }' );">


Results to:

Code:

<a href='#' onclick="add( 'O'Toole' );">


which will surely cause a javascript error. Any help will be greatly appreciated. Thanks.



How is O&#039Toole getting resolved to O'Toole ? Smarty won't do that for you. Is your browser doing that? Did you check the js console that is in fact throwing an error?
Back to top
View user's profile Send private message Visit poster's website
douglassdavis
Smarty Junkie


Joined: 21 Jan 2008
Posts: 541

PostPosted: Tue Sep 14, 2010 2:05 pm    Post subject: Reply with quote

Since that is actually javascript embedded inside of an html tag HTML, try doing:

|escape:'javascript'|escape

You should escape both languages.


Secondly, I'm almost sure you would want to do

Code:

$smarty->assign( 'name', "O'Toole" );


and not

Code:

$smarty->assign( 'name', "O&#039Toole" );



But, I don't know what you are using that value for, so I can't say for sure.
Back to top
View user's profile Send private message
thomaquin
Smarty n00b


Joined: 14 Sep 2010
Posts: 2

PostPosted: Tue Sep 14, 2010 2:05 pm    Post subject: Reply with quote

I'm sorry for not being too exact and verbose.

The data containing the html entity is actually part of an array resultset from a DB query. Like so,
Code:

$smarty->assign( 'result', $resultset );

<a href="#" onclick="add( '{$result.lastname|escape:javascript}' );">


where,
Code:

$resultset['lastname'] = "O&#039Toole";


Intentionally did not complete the html entity, i.e. missed the semi-colon, since it seems that phpBB transforms it to the corresponding quote.

Although I have already found a solution for this, would just like to know whether there could be a better one.

Solution:
Code:

<a href="#" onclick="add( '{ $result.lastname|html_entity_decode:$smarty.const.ENT_QUOTES|escape:javascript } );">
Back to top
View user's profile Send private message
maarchewa
Smarty n00b


Joined: 22 Aug 2011
Posts: 3

PostPosted: Tue Aug 23, 2011 12:18 pm    Post subject: Reply with quote

When switched from version 3.0.6 to 3.1RC1 escape:'javascript' modifier stopped working:

Code:
<b>Parse error</b>:  syntax error, unexpected T_NS_SEPARATOR, expecting ')' in <b>Smarty/sysplugins/smarty_internal_templatebase.php(206) : eval()'d code</b> on line <b>13</b><br />


my template looks like this:
Code:

{$callback}(
{nocache}
{literal}{{/literal}
    {foreach $nodes as $nodeName=>$value}"{$nodeName|escape:'javascript'}" : "{$value|escape:'javascript'}"{if not $value@last},{/if}{/foreach}
{literal}}{/literal}
{/nocache}
);


string which is passed to eval function:
Code:

'_jqjsp(
{
    <?php  $_smarty_tpl->tpl_vars[\'value\'] = new Smarty_Variable;
 $_smarty_tpl->tpl_vars[\'nodeName\'] = new Smarty_Variable;
 $_from = $_smarty_tpl->tpl_vars[\'nodes\']->value; if (!is_array($_from) && !is_object($_from)) { settype($_from, \'array\');}
 $_smarty_tpl->tpl_vars[\'value\']->total= $_smarty_tpl->_count($_from);
 $_smarty_tpl->tpl_vars[\'value\']->iteration=0;
if ($_smarty_tpl->tpl_vars[\'value\']->total > 0){
    foreach ($_from as $_smarty_tpl->tpl_vars[\'value\']->key => $_smarty_tpl->tpl_vars[\'value\']->value){
 $_smarty_tpl->tpl_vars[\'nodeName\']->value = $_smarty_tpl->tpl_vars[\'value\']->key;
 $_smarty_tpl->tpl_vars[\'value\']->iteration++;
 $_smarty_tpl->tpl_vars[\'value\']->last = $_smarty_tpl->tpl_vars[\'value\']->iteration === $_smarty_tpl->tpl_vars[\'value\']->total;
?>"<?php echo $_smarty_tpl->tpl_vars[\'nodeName\']->value;?>
" : "<?php echo strtr($_smarty_tpl->tpl_vars[\'value\']->value, array("\\" => "\\\\", "\'" => "\\\'", "\\"" => "\\\\"", "\\r" => "\\r", "\\n" => "\\n", "</" => "<\\/" ));?>
"<?php if (!$_smarty_tpl->tpl_vars[\'value\']->last){?>,<?php }?><?php }} ?>}
);'
Back to top
View user's profile Send private message
rodneyrehm
Administrator


Joined: 30 Mar 2007
Posts: 674
Location: Germany, border to Switzerland

PostPosted: Wed Aug 24, 2011 9:42 am    Post subject: Reply with quote

please try the 3_1_DEV branch, as I cannot reproduce your problem with that version.

Also, what you're doing here looks much like re-inventing http://php.net/json_encode
_________________
Twitter
Back to top
View user's profile Send private message Visit poster's website
mohrt
Administrator


Joined: 16 Apr 2003
Posts: 7368
Location: Lincoln Nebraska, USA

PostPosted: Wed Aug 24, 2011 1:48 pm    Post subject: Reply with quote

You also do not need to do this with 3.x:

Code:
{literal}{{/literal}
...
{literal}}{/literal}


Just drop the literal tags (and leave auto_literal enabled)
Back to top
View user's profile Send private message Visit poster's website
rodneyrehm
Administrator


Joined: 30 Mar 2007
Posts: 674
Location: Germany, border to Switzerland

PostPosted: Fri Aug 26, 2011 4:43 pm    Post subject: Reply with quote

You were totally right. There was a bug in the compiler, but only for non-caching sections in cached templates. Uwe just fixed it… http://code.google.com/p/smarty-php/source/detail?r=4246
_________________
Twitter
Back to top
View user's profile Send private message Visit poster's website
qran
Smarty n00b


Joined: 25 Nov 2015
Posts: 1

PostPosted: Wed Nov 25, 2015 10:13 pm    Post subject: Reply with quote

escape:javascript will fail with < /anything> (space between < and /).


$escape_html is great but what with HTML5? Double encode?
Config options for htmlspecialhars @ escape_html will be nice.
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Bugs All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP