Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.
  www.smarty.net   •  phpinsider.com  •  Forum Index  •  FAQ  •  Search  •  Memberlist  •  Profile  •  Log in to check your private messages  •  Register  •  Log in
debug.tpl is missing javascript escape

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Bugs
View previous topic :: View next topic  
Author Message
prossel
Smarty n00b


Joined: 08 Aug 2003
Posts: 4
Location: Switzerland
PostPosted: Fri Aug 08, 2003 9:06 am    Post subject: debug.tpl is missing javascript escape Reply with quote
Hello,

I have this problem under windows (where path separator is \) with file names begining with some characters (ex: u). The page is trying to fill the debug window with javascript such as:
Code:
_smarty_console.document.write("<tr ...>...{$_debug_tpls[templates].filename}...</tr>");

Since the filename is not escaped, this could produces output like this one:
Code:
_smarty_console.document.write("<tr bgcolor=#eeeeee><td colspan=2><tt><font color=brown>file:E:\Projects\XXX\wwwRoot\user.tpl.htm</font> <font size=-1><i>(0.51614)

The problem is that the \ (backslashes) are not escaped and depending on the character folowing the \ (ie the first letter of the file or folder), this produces javascript error.

To fix this, I replaced
Code:
{$_debug_tpls[templates].filename}

by
Code:
{$_debug_tpls[templates].filename|escape:"javascript"}

in file debug.tpl (2 places)

The fix seems to work well for me, but as not being a smarty developper, I don't know if the fix should be applied somewhere else too. For this reason and with the hope that this fix will be included in the next release, I post this issue here.

Thanks for any feedback.

Pierre Rossel
Back to top
View user's profile Send private message
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany
PostPosted: Fri Aug 08, 2003 6:47 pm    Post subject: Reply with quote
i think debug.tpl is right place to fix this. but i would escape the first occurence of {$_debug_tpls[templates].filename} with |escape:html (since it is in html-context) and only the second with |escape:javascript (as you suggested).

thanks for reporting this with the fix including Smile
Back to top
View user's profile Send private message Send e-mail Visit poster's website
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany
PostPosted: Fri Aug 08, 2003 6:54 pm    Post subject: Reply with quote
hmm, on second thought i would escape the second occurence with

...|escape:html|escape:javascript}

since it is a document.write that prints html-code. can anybody confirm this?

Last edited by messju on Fri Aug 08, 2003 8:43 pm; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail Visit poster's website
prossel
Smarty n00b


Joined: 08 Aug 2003
Posts: 4
Location: Switzerland
PostPosted: Fri Aug 08, 2003 8:39 pm    Post subject: Reply with quote
messju wrote:
i think debug.tpl is right place to fix this. but i would escape the first occurence of {$_debug_tpls[templates].filename} with |escape:html (since it is in html-context) and only the second with |escape:javascript (as you suggested).
OK, this makes sense. I'll fix my fix as you suggested.

messju wrote:
thanks for reporting this with the fix including Smile

You're welcome. I'm using Smarty for the first time and I enjoy it so I'm glad if I can help. Cool
Back to top
View user's profile Send private message
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany
PostPosted: Fri Aug 08, 2003 8:44 pm    Post subject: Reply with quote
this is in the cvs version now. thanks. Smile
Back to top
View user's profile Send private message Send e-mail Visit poster's website
prossel
Smarty n00b


Joined: 08 Aug 2003
Posts: 4
Location: Switzerland
PostPosted: Wed Aug 13, 2003 8:33 am    Post subject: Reply with quote
Hello,

I've found another problem of the same type when template variables contain the \ character.

It's still in the debug.tpl, in the second part, where JavaScript commands are generated, in the "assigned template variables" section.

I had to fix the
Code:
{$_debug_vals[vars]|@debug_print_var}
to be JavaScript escaped as well:
Code:
{$_debug_vals[vars]|@debug_print_var|escape:"javascript"}


But after this fix, which solved the problem of variables containing backslashes, there was another one with "\r" which were now appearing at the beginning of every lines. This turned out to have to be fixed in \plugins\modifier.debug_print_var.php. \r chunks are in single quote strings where they should be in double quote strings to be evaluated.

The fix is to modify all
'<br>\r'
to
"<br>\r"
(2 places)

Actually, I'm wondering if all variables outputs in the JavaScript section should not be JavaScript escaped. I leave this thought to the smart(y) developers...
Back to top
View user's profile Send private message
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany
PostPosted: Wed Aug 13, 2003 2:01 pm    Post subject: Reply with quote
you suggestion looks good to me Smile
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP