View previous topic :: View next topic |
Author |
Message |
prossel Smarty n00b
Joined: 08 Aug 2003 Posts: 4 Location: Switzerland
|
Posted: Fri Aug 08, 2003 9:06 am Post subject: debug.tpl is missing javascript escape |
|
|
Hello,
I have this problem under windows (where path separator is \) with file names begining with some characters (ex: u). The page is trying to fill the debug window with javascript such as:
Code: | _smarty_console.document.write("<tr ...>...{$_debug_tpls[templates].filename}...</tr>"); |
Since the filename is not escaped, this could produces output like this one:
Code: | _smarty_console.document.write("<tr bgcolor=#eeeeee><td colspan=2><tt><font color=brown>file:E:\Projects\XXX\wwwRoot\user.tpl.htm</font> <font size=-1><i>(0.51614) |
The problem is that the \ (backslashes) are not escaped and depending on the character folowing the \ (ie the first letter of the file or folder), this produces javascript error.
To fix this, I replaced
Code: | {$_debug_tpls[templates].filename} |
by
Code: | {$_debug_tpls[templates].filename|escape:"javascript"} |
in file debug.tpl (2 places)
The fix seems to work well for me, but as not being a smarty developper, I don't know if the fix should be applied somewhere else too. For this reason and with the hope that this fix will be included in the next release, I post this issue here.
Thanks for any feedback.
Pierre Rossel |
|
Back to top |
|
messju Administrator
Joined: 16 Apr 2003 Posts: 3336 Location: Oldenburg, Germany
|
Posted: Fri Aug 08, 2003 6:47 pm Post subject: |
|
|
i think debug.tpl is right place to fix this. but i would escape the first occurence of {$_debug_tpls[templates].filename} with |escape:html (since it is in html-context) and only the second with |escape:javascript (as you suggested).
thanks for reporting this with the fix including |
|
Back to top |
|
messju Administrator
Joined: 16 Apr 2003 Posts: 3336 Location: Oldenburg, Germany
|
Posted: Fri Aug 08, 2003 6:54 pm Post subject: |
|
|
hmm, on second thought i would escape the second occurence with
...|escape:html|escape:javascript}
since it is a document.write that prints html-code. can anybody confirm this?
Last edited by messju on Fri Aug 08, 2003 8:43 pm; edited 1 time in total |
|
Back to top |
|
prossel Smarty n00b
Joined: 08 Aug 2003 Posts: 4 Location: Switzerland
|
Posted: Fri Aug 08, 2003 8:39 pm Post subject: |
|
|
messju wrote: | i think debug.tpl is right place to fix this. but i would escape the first occurence of {$_debug_tpls[templates].filename} with |escape:html (since it is in html-context) and only the second with |escape:javascript (as you suggested).
| OK, this makes sense. I'll fix my fix as you suggested.
messju wrote: | thanks for reporting this with the fix including |
You're welcome. I'm using Smarty for the first time and I enjoy it so I'm glad if I can help. |
|
Back to top |
|
messju Administrator
Joined: 16 Apr 2003 Posts: 3336 Location: Oldenburg, Germany
|
Posted: Fri Aug 08, 2003 8:44 pm Post subject: |
|
|
this is in the cvs version now. thanks. |
|
Back to top |
|
prossel Smarty n00b
Joined: 08 Aug 2003 Posts: 4 Location: Switzerland
|
Posted: Wed Aug 13, 2003 8:33 am Post subject: |
|
|
Hello,
I've found another problem of the same type when template variables contain the \ character.
It's still in the debug.tpl, in the second part, where JavaScript commands are generated, in the "assigned template variables" section.
I had to fix the Code: | {$_debug_vals[vars]|@debug_print_var} | to be JavaScript escaped as well: Code: | {$_debug_vals[vars]|@debug_print_var|escape:"javascript"} |
But after this fix, which solved the problem of variables containing backslashes, there was another one with "\r" which were now appearing at the beginning of every lines. This turned out to have to be fixed in \plugins\modifier.debug_print_var.php. \r chunks are in single quote strings where they should be in double quote strings to be evaluated.
The fix is to modify all
'<br>\r'
to
"<br>\r"
(2 places)
Actually, I'm wondering if all variables outputs in the JavaScript section should not be JavaScript escaped. I leave this thought to the smart(y) developers... |
|
Back to top |
|
messju Administrator
Joined: 16 Apr 2003 Posts: 3336 Location: Oldenburg, Germany
|
Posted: Wed Aug 13, 2003 2:01 pm Post subject: |
|
|
you suggestion looks good to me |
|
Back to top |
|
|