HomeHelpTrac

Changeset 15887 for trunk


Ignore:
Timestamp:
01/17/12 01:01:29 (4 months ago)
Author:
Alexander Trofimov
Message:

Forms - attributes was not always escaped properly

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/inc/classes/BxDolUploader.php

    r15522 r15887  
    212212        } 
    213213 
    214         echo '<script>window.parent.' . $this->getNameJsInstanceUploader() . '.onUploadCompleted(\'' . bx_js_string($this->getUploadErrorMessages(), BX_JS_STR_APOS) . '\');</script>'; 
     214        echo '<script>window.parent.' . $this->getNameJsInstanceUploader() . '.onUploadCompleted(\'' . bx_js_string($this->getUploadErrorMessages(), BX_ESCAPE_STR_APOS) . '\');</script>'; 
    215215    } 
    216216 
     
    240240            $sJsValue = "{\n"; 
    241241            foreach ($mixedGhostTemplate as $iFileId => $s) { 
    242                 $sJsValue .= $iFileId . ':' . "'" . bx_js_string($s, BX_JS_STR_APOS) . "',\n"; 
     242                $sJsValue .= $iFileId . ':' . "'" . bx_js_string($s, BX_ESCAPE_STR_APOS) . "',\n"; 
    243243            } 
    244244            $sJsValue = substr($sJsValue, 0, -2); 
    245245            $sJsValue .= "}\n"; 
    246246        } else { 
    247             $sJsValue = "'" . bx_js_string($mixedGhostTemplate, BX_JS_STR_APOS) . "'"; 
     247            $sJsValue = "'" . bx_js_string($mixedGhostTemplate, BX_ESCAPE_STR_APOS) . "'"; 
    248248        } 
    249249 

  • trunk/inc/utils.inc.php

    r15790 r15887  
    2525define('BX_DATA_DATETIME_TS', 9); ///< date/time data type stored as unixtimestamp 
    2626 
    27 define('BX_JS_STR_AUTO', 0); ///< turn apostropes and quote signs into html special chars, for use in @see bx_js_string 
    28 define('BX_JS_STR_APOS', 1); ///< escape apostrophes only, for js strings enclosed in apostrophes, for use in @see bx_js_string 
    29 define('BX_JS_STR_QUOTE', 2); ///< escape quotes only, for js strings enclosed in quotes, for use in @see bx_js_string 
     27define('BX_ESCAPE_STR_AUTO', 0); ///< turn apostropes and quote signs into html special chars, for use in @see bx_js_string and @see bx_html_attribute 
     28define('BX_ESCAPE_STR_APOS', 1); ///< escape apostrophes only, for js strings enclosed in apostrophes, for use in @see bx_js_string and @see bx_html_attribute 
     29define('BX_ESCAPE_STR_QUOTE', 2); ///< escape quotes only, for js strings enclosed in quotes, for use in @see bx_js_string and @see bx_html_attribute 
    3030 
    3131/** 
     
    10251025 * 
    10261026 * @param $mixedInput - string/array which should be filtered 
    1027  * @param $iQuoteType - string escaping method: BX_JS_STR_AUTO(default), BX_JS_STR_APOS or BX_JS_STR_QUOTE 
     1027 * @param $iQuoteType - string escaping method: BX_ESCAPE_STR_AUTO(default), BX_ESCAPE_STR_APOS or BX_ESCAPE_STR_QUOTE 
    10281028 * @return converted string / array 
    10291029 */ 
    1030 function bx_js_string ($mixedInput, $iQuoteType = BX_JS_STR_AUTO) { 
     1030function bx_js_string ($mixedInput, $iQuoteType = BX_ESCAPE_STR_AUTO) { 
    10311031    $aUnits = array( 
    10321032        "\n" => "\\n", 
    10331033        "\r" => "", 
    10341034    ); 
    1035     if (BX_JS_STR_APOS == $iQuoteType) { 
     1035    if (BX_ESCAPE_STR_APOS == $iQuoteType) { 
    10361036        $aUnits["'"] = "\\'"; 
    1037     } elseif (BX_JS_STR_QUOTE == $iQuoteType) { 
     1037    } elseif (BX_ESCAPE_STR_QUOTE == $iQuoteType) { 
    10381038        $aUnits['"'] = '\\"'; 
    10391039    } else { 
     
    10501050 * @return converted string / array 
    10511051 */ 
    1052 function bx_html_attribute ($mixedInput) { 
    1053     $aUnits = array( 
    1054         "\"" => "&quot;", 
    1055         "'" => "&apos;", 
    1056     ); 
     1052function bx_html_attribute ($mixedInput, $iQuoteType = BX_ESCAPE_STR_AUTO) { 
     1053 
     1054    $aUnits = array (); 
     1055    if (BX_ESCAPE_STR_APOS == $iQuoteType) 
     1056        $aUnits["'"] = "\\'"; 
     1057    elseif (BX_ESCAPE_STR_QUOTE == $iQuoteType) 
     1058        $aUnits['"'] = '\\"'; 
     1059    else 
     1060        $aUnits = array("\"" => "&quot;", "'" => "&apos;"); 
     1061 
    10571062    return str_replace(array_keys($aUnits), array_values($aUnits), $mixedInput); 
    10581063} 
     
    13211326            continue; 
    13221327 
    1323         $sValueC = bx_html_attribute($sValue); 
     1328        $sValueC = bx_html_attribute($sValue, BX_ESCAPE_STR_QUOTE); 
    13241329 
    13251330        $sRet .= " $sKey=\"$sValueC\""; 

  • trunk/templates/base/scripts/BxBaseGrid.php

    r15797 r15887  
    187187            'start' => $iStart, 
    188188            'per_page' => $iPerPage, 
    189             'filter' => bx_js_string($sFilter, BX_JS_STR_APOS), 
    190             'order_field' => bx_js_string($sOrderField, BX_JS_STR_APOS), 
    191             'order_dir' => bx_js_string($sOrderDir, BX_JS_STR_APOS), 
     189            'filter' => bx_js_string($sFilter, BX_ESCAPE_STR_APOS), 
     190            'order_field' => bx_js_string($sOrderField, BX_ESCAPE_STR_APOS), 
     191            'order_dir' => bx_js_string($sOrderDir, BX_ESCAPE_STR_APOS), 
    192192            'popup_options' => $sPopupOptions, 
    193193            'query_append' => $sQueryAppend, 
Note: See TracChangeset for help on using the changeset viewer.
 
 

Site Search

Market

Notes

Websites

About BoonEx Contacts © BoonEx (ACN 127966581)