Smarty Forum Index Smarty
The discussions here are for Smarty, a template engine for the PHP programming language.

debug.tpl is missing javascript escape

 
Post new topic   Reply to topic    Smarty Forum Index -> Bugs
View previous topic :: View next topic  
Author Message
prossel
Smarty n00b


Joined: 08 Aug 2003
Posts: 4
Location: Switzerland

PostPosted: Fri Aug 08, 2003 9:06 am    Post subject: debug.tpl is missing javascript escape Reply with quote

Hello,

I have this problem under windows (where path separator is \) with file names begining with some characters (ex: u). The page is trying to fill the debug window with javascript such as:
Code:
_smarty_console.document.write("<tr ...>...{$_debug_tpls[templates].filename}...</tr>");

Since the filename is not escaped, this could produces output like this one:
Code:
_smarty_console.document.write("<tr bgcolor=#eeeeee><td colspan=2><tt><font color=brown>file:E:\Projects\XXX\wwwRoot\user.tpl.htm</font> <font size=-1><i>(0.51614)

The problem is that the \ (backslashes) are not escaped and depending on the character folowing the \ (ie the first letter of the file or folder), this produces javascript error.

To fix this, I replaced
Code:
{$_debug_tpls[templates].filename}

by
Code:
{$_debug_tpls[templates].filename|escape:"javascript"}

in file debug.tpl (2 places)

The fix seems to work well for me, but as not being a smarty developper, I don't know if the fix should be applied somewhere else too. For this reason and with the hope that this fix will be included in the next release, I post this issue here.

Thanks for any feedback.

Pierre Rossel
Back to top
View user's profile Send private message
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany

PostPosted: Fri Aug 08, 2003 6:47 pm    Post subject: Reply with quote

i think debug.tpl is right place to fix this. but i would escape the first occurence of {$_debug_tpls[templates].filename} with |escape:html (since it is in html-context) and only the second with |escape:javascript (as you suggested).

thanks for reporting this with the fix including Smile
Back to top
View user's profile Send private message Send e-mail Visit poster's website
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany

PostPosted: Fri Aug 08, 2003 6:54 pm    Post subject: Reply with quote

hmm, on second thought i would escape the second occurence with

...|escape:html|escape:javascript}

since it is a document.write that prints html-code. can anybody confirm this?


Last edited by messju on Fri Aug 08, 2003 8:43 pm; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail Visit poster's website
prossel
Smarty n00b


Joined: 08 Aug 2003
Posts: 4
Location: Switzerland

PostPosted: Fri Aug 08, 2003 8:39 pm    Post subject: Reply with quote

messju wrote:
i think debug.tpl is right place to fix this. but i would escape the first occurence of {$_debug_tpls[templates].filename} with |escape:html (since it is in html-context) and only the second with |escape:javascript (as you suggested).
OK, this makes sense. I'll fix my fix as you suggested.

messju wrote:
thanks for reporting this with the fix including Smile

You're welcome. I'm using Smarty for the first time and I enjoy it so I'm glad if I can help. Cool
Back to top
View user's profile Send private message
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany

PostPosted: Fri Aug 08, 2003 8:44 pm    Post subject: Reply with quote

this is in the cvs version now. thanks. Smile
Back to top
View user's profile Send private message Send e-mail Visit poster's website
prossel
Smarty n00b


Joined: 08 Aug 2003
Posts: 4
Location: Switzerland

PostPosted: Wed Aug 13, 2003 8:33 am    Post subject: Reply with quote

Hello,

I've found another problem of the same type when template variables contain the \ character.

It's still in the debug.tpl, in the second part, where JavaScript commands are generated, in the "assigned template variables" section.

I had to fix the
Code:
{$_debug_vals[vars]|@debug_print_var}
to be JavaScript escaped as well:
Code:
{$_debug_vals[vars]|@debug_print_var|escape:"javascript"}


But after this fix, which solved the problem of variables containing backslashes, there was another one with "\r" which were now appearing at the beginning of every lines. This turned out to have to be fixed in \plugins\modifier.debug_print_var.php. \r chunks are in single quote strings where they should be in double quote strings to be evaluated.

The fix is to modify all
'<br>\r'
to
"<br>\r"
(2 places)

Actually, I'm wondering if all variables outputs in the JavaScript section should not be JavaScript escaped. I leave this thought to the smart(y) developers...
Back to top
View user's profile Send private message
messju
Administrator


Joined: 16 Apr 2003
Posts: 3336
Location: Oldenburg, Germany

PostPosted: Wed Aug 13, 2003 2:01 pm    Post subject: Reply with quote

you suggestion looks good to me Smile
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Smarty Forum Index -> Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP