View previous topic :: View next topic |
Author |
Message |
c960657 Smarty Regular
Joined: 07 May 2003 Posts: 75 Location: Copenhagen, Denmark
|
Posted: Wed May 07, 2003 1:21 pm Post subject: escape:javascript bug |
|
|
The part of modifier.escape.php that escapes Javascript currently looks like this:
Code: | return str_replace(array('\\','\'',"\r","\n"), array("\\\\", "\\'",'\r','\r'), $string); |
The last \r should be a \n instead.
Best regards,
Christian Schmidt |
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Wed May 07, 2003 1:24 pm Post subject: |
|
|
fixed in CVS, thanks. |
|
Back to top |
|
c960657 Smarty Regular
Joined: 07 May 2003 Posts: 75 Location: Copenhagen, Denmark
|
Posted: Sun Jul 27, 2003 9:22 pm Post subject: Double quote |
|
|
I think " (double quote) should also be added to the list of chars that should be encoded. |
|
Back to top |
|
c960657 Smarty Regular
Joined: 07 May 2003 Posts: 75 Location: Copenhagen, Denmark
|
|
Back to top |
|
messju Administrator
Joined: 16 Apr 2003 Posts: 3336 Location: Oldenburg, Germany
|
Posted: Tue Mar 16, 2004 12:02 pm Post subject: Re: Double quote |
|
|
c960657 wrote: | I think " (double quote) should also be added to the list of chars that should be encoded. |
yes. it looks like.
If i take the specification ECMA-262 (Chapter 7.8.4 "String literals"), I get the following nine characters to be translated:
[php:1:2b16bb5fc4]
array("\x08" => '\\b', "\x09" => '\\t', "\x0a" => '\\n',
"\x0b" => '\\v', "\x0c" => '\\f', "\x0d" => '\\r',
"\x22" => '\\"', "\x27" => '\\\'', "\x5c" => '\\');
[/php:1:2b16bb5fc4] |
|
Back to top |
|
c960657 Smarty Regular
Joined: 07 May 2003 Posts: 75 Location: Copenhagen, Denmark
|
Posted: Wed Jun 09, 2004 2:36 pm Post subject: Re: Double quote |
|
|
It's time for by bi-yearly post to this thread
I'll elaborate on my suggestion to also escape "</".
messju wrote: | If i take the specification ECMA-262 (Chapter 7.8.4 "String literals"), I get the following nine characters to be translated: |
The requirement for escaping "</" does not come from Javascript but from HTML. When used inside an inline <script> block in an HTML page, "</" should be escaped as "<\/".
Example:
If the variable $foo contains "<b>it's bold</b>", the following code currently generates invalid HTML:
Code: | <script type="text/javascript">
document.write('{$foo|escape:javascript}');
</script> |
In order to make it valid, one most use two modifiers, i.e.
Code: | <script type="text/javascript">
document.write('{$foo|escape:javascript|replace:"</":"<\/"}');
</script> |
I suggest extending escape:javascript to also escape "</" to "<\/" as a convenience for template authors that use escape:javascript in inline <script> tags (I assume that this is done a lot). It doesn't break scripts outside inline <script> blocks, e.g. in external Javascript include files and onclick attributes, except that it adds a few bytes to the strings. |
|
Back to top |
|
mohrt Administrator
Joined: 16 Apr 2003 Posts: 7368 Location: Lincoln Nebraska, USA
|
Posted: Wed Jun 09, 2004 2:54 pm Post subject: |
|
|
change is committed to CVS. |
|
Back to top |
|
limbhg Smarty Regular
Joined: 18 Jun 2004 Posts: 62
|
Posted: Tue Aug 31, 2004 10:30 am Post subject: problem with javascript <a href> onclick... |
|
|
hi guys,
need helps.
in my tpl, i have a <a href=....onclick="javascript:callthisfunction('{param1|escape}', '{param2|escape}', '{param3|escape}' ....></a>
values for the params are:
param1 = "i'm a boy"
param2 = "box 7"'"
param3 = "limbhg"
if you notice, the value for param2 contain a dbl quote & single quote.
when i click on the <a>, it gives javascript errors.
note that i have added |escape to the params, but error still persists.
what is the best way to solve this problem?
what if i store all the params into an array, i thk it should solve my problem too?
thanks. |
|
Back to top |
|
messju Administrator
Joined: 16 Apr 2003 Posts: 3336 Location: Oldenburg, Germany
|
Posted: Tue Aug 31, 2004 10:42 am Post subject: |
|
|
escape them twice:
{$param|escape:javascript|escape:html} |
|
Back to top |
|
limbhg Smarty Regular
Joined: 18 Jun 2004 Posts: 62
|
Posted: Tue Aug 31, 2004 10:58 am Post subject: |
|
|
messju wrote: | escape them twice:
{$param|escape:javascript|escape:html} |
messju,
{$param|escape:javascript|escape:html}
is the 2nd escape require the ":html"?
i thought :html is the default?
Last edited by limbhg on Tue Aug 31, 2004 11:15 am; edited 1 time in total |
|
Back to top |
|
limbhg Smarty Regular
Joined: 18 Jun 2004 Posts: 62
|
Posted: Tue Aug 31, 2004 11:00 am Post subject: |
|
|
messju wrote: | escape them twice:
{$param|escape:javascript|escape:html} |
messju, i got an error.
"Smarty error:
[plugin] modifier 'javascript' is not implemented (core.load_plugins.php, line 118)
d:\source\smarty\Smarty.class.php on line 1102 |
|
Back to top |
|
messju Administrator
Joined: 16 Apr 2003 Posts: 3336 Location: Oldenburg, Germany
|
Posted: Tue Aug 31, 2004 11:17 am Post subject: |
|
|
limbhg wrote: | messju, i got an error.
"Smarty error:
[plugin] modifier 'javascript' is not implemented (core.load_plugins.php, line 118)
d:\source\smarty\Smarty.class.php on line 1102 |
then you didn't copy my example literally:
{$param |escape:javascript |escape:html}
see? there is no modifier named "javascript" involved. |
|
Back to top |
|
limbhg Smarty Regular
Joined: 18 Jun 2004 Posts: 62
|
Posted: Tue Aug 31, 2004 11:28 am Post subject: |
|
|
messju wrote: | limbhg wrote: | messju, i got an error.
"Smarty error:
[plugin] modifier 'javascript' is not implemented (core.load_plugins.php, line 118)
d:\source\smarty\Smarty.class.php on line 1102 |
then you didn't copy my example literally:
{$param |escape:javascript |escape:html}
see? there is no modifier named "javascript" involved. |
sorry, messju, my fault. i put $param|escape|javascript instead of :javascript!!!!
i didn't follow literally. i should have just copy and paste it, then modify from there.
my eyes are getting poor, sadness. getting older here, 33 is on my way already!!!
but your son is still very sweet. the avatar u use. when is your 2nd one coming?
thanks. |
|
Back to top |
|
ahribernik Smarty n00b
Joined: 21 Sep 2004 Posts: 1
|
Posted: Tue Sep 21, 2004 5:30 pm Post subject: escape javascript bug |
|
|
mohrt wrote: | fixed in CVS, thanks. |
the escape javascript has a bug with strings that contain a single quote. these should be escaped as well.
below is my quick fix for the problem. you really should be encoding all special characters as well.
Code: | function escape_javascript($text){
$trans_table = get_html_translation_table( HTML_SPECIALCHARS, ENT_QUOTES);
$trans_table["'"] = "\'";
$trans_table["\\"] = "\\\\";
return (strtr($text, $trans_table));
} |
|
|
Back to top |
|
thomaquin Smarty n00b
Joined: 14 Sep 2010 Posts: 2
|
Posted: Tue Sep 14, 2010 6:34 am Post subject: |
|
|
Is there a way to escape the html entity code for single or doubles quotes using the javascript escape type?
Code: |
$smarty->assign( 'name', 'O'Toole' );
<a href='#' onclick="add( '{ $name|escape:javascript }' );">
|
Results to:
Code: |
<a href='#' onclick="add( 'O'Toole' );">
|
which will surely cause a javascript error. Any help will be greatly appreciated. Thanks. |
|
Back to top |
|
|