Changeset 15887 for trunk/inc

Timestamp:

01/17/12 01:01:29 (4 months ago)

Author:

Alexander Trofimov

Message:

Forms - attributes was not always escaped properly

Location:

trunk/inc

Files:

• classes/BxDolUploader.php (modified) (2 diffs)
• utils.inc.php (modified) (4 diffs)

trunk/inc/classes/BxDolUploader.php

@@ -212 +212 @@
         }
 
-        echo '<script>window.parent.' . $this->getNameJsInstanceUploader() . '.onUploadCompleted(\'' . bx_js_string($this->getUploadErrorMessages(), BX_JS_STR_APOS) . '\');</script>';
+        echo '<script>window.parent.' . $this->getNameJsInstanceUploader() . '.onUploadCompleted(\'' . bx_js_string($this->getUploadErrorMessages(), BX_ESCAPE_STR_APOS) . '\');</script>';
     }
 
@@ -240 +240 @@
             $sJsValue = "{\n";
             foreach ($mixedGhostTemplate as $iFileId => $s) {
-                $sJsValue .= $iFileId . ':' . "'" . bx_js_string($s, BX_JS_STR_APOS) . "',\n";
+                $sJsValue .= $iFileId . ':' . "'" . bx_js_string($s, BX_ESCAPE_STR_APOS) . "',\n";
             }
             $sJsValue = substr($sJsValue, 0, -2);
             $sJsValue .= "}\n";
         } else {
-            $sJsValue = "'" . bx_js_string($mixedGhostTemplate, BX_JS_STR_APOS) . "'";
+            $sJsValue = "'" . bx_js_string($mixedGhostTemplate, BX_ESCAPE_STR_APOS) . "'";
         }
 

trunk/inc/utils.inc.php

@@ -25 +25 @@
 define('BX_DATA_DATETIME_TS', 9); ///< date/time data type stored as unixtimestamp
 
-define('BX_JS_STR_AUTO', 0); ///< turn apostropes and quote signs into html special chars, for use in @see bx_js_string
-define('BX_JS_STR_APOS', 1); ///< escape apostrophes only, for js strings enclosed in apostrophes, for use in @see bx_js_string
-define('BX_JS_STR_QUOTE', 2); ///< escape quotes only, for js strings enclosed in quotes, for use in @see bx_js_string
+define('BX_ESCAPE_STR_AUTO', 0); ///< turn apostropes and quote signs into html special chars, for use in @see bx_js_string and @see bx_html_attribute
+define('BX_ESCAPE_STR_APOS', 1); ///< escape apostrophes only, for js strings enclosed in apostrophes, for use in @see bx_js_string and @see bx_html_attribute
+define('BX_ESCAPE_STR_QUOTE', 2); ///< escape quotes only, for js strings enclosed in quotes, for use in @see bx_js_string and @see bx_html_attribute
 
 /**
@@ -1025 +1025 @@
  *
  * @param $mixedInput - string/array which should be filtered
- * @param $iQuoteType - string escaping method: BX_JS_STR_AUTO(default), BX_JS_STR_APOS or BX_JS_STR_QUOTE
+ * @param $iQuoteType - string escaping method: BX_ESCAPE_STR_AUTO(default), BX_ESCAPE_STR_APOS or BX_ESCAPE_STR_QUOTE
  * @return converted string / array
  */
-function bx_js_string ($mixedInput, $iQuoteType = BX_JS_STR_AUTO) {
+function bx_js_string ($mixedInput, $iQuoteType = BX_ESCAPE_STR_AUTO) {
     $aUnits = array(
         "\n" => "\\n",
         "\r" => "",
     );
-    if (BX_JS_STR_APOS == $iQuoteType) {
+    if (BX_ESCAPE_STR_APOS == $iQuoteType) {
         $aUnits["'"] = "\\'";
-    } elseif (BX_JS_STR_QUOTE == $iQuoteType) {
+    } elseif (BX_ESCAPE_STR_QUOTE == $iQuoteType) {
         $aUnits['"'] = '\\"';
     } else {
@@ -1050 +1050 @@
  * @return converted string / array
  */
-function bx_html_attribute ($mixedInput) {
-    $aUnits = array(
-        "\"" => "&quot;",
-        "'" => "&apos;",
-    );
+function bx_html_attribute ($mixedInput, $iQuoteType = BX_ESCAPE_STR_AUTO) {
+
+    $aUnits = array ();
+    if (BX_ESCAPE_STR_APOS == $iQuoteType)
+        $aUnits["'"] = "\\'";
+    elseif (BX_ESCAPE_STR_QUOTE == $iQuoteType)
+        $aUnits['"'] = '\\"';
+    else
+        $aUnits = array("\"" => "&quot;", "'" => "&apos;");
+
     return str_replace(array_keys($aUnits), array_values($aUnits), $mixedInput);
 }
@@ -1321 +1326 @@
             continue;
 
-        $sValueC = bx_html_attribute($sValue);
+        $sValueC = bx_html_attribute($sValue, BX_ESCAPE_STR_QUOTE);
 
         $sRet .= " $sKey=\"$sValueC\"";