ESCAPE=JS does not handle '
Brought to you by:
samtregar
Menu
▾
▴
#7 ESCAPE=JS does not handle '
open
nobody
None
5
2006-05-26
2006-05-26
Anonymous
No
The following line will cause a js error:
<span onclick="alert('foo'bar');">Test</span>
This occurs because browsers will convert the ' to
a single quote when it puts the document together, and
before it runs the javascript. This only occurs when it
is part of an attribute, such as onclick, and not when
it occurs in a separate script block.
The same alert in a script block will output the
literal '
When using ESCAPE=JS this should probably be escaped.
@@ -2759,6 +2759,7 @@
}
s/\\/\\\\/g;
s/'/\\'/g;
+ s/'/\\'/g;
s/"/\\"/g;
s/\n/\\n/g;
s/\r/\\r/g;
The problem is rather with the whole onclick handlers, the best solution would be a double escape of HTML and JS:
<span onclick="alert('foo&#39;bar');">Test</span>
This becomes aparent when you have double quotes in your value:
onclick="alert('<TMPL_VAR NAME ESCAPE=JS>')"
This will become: (Name = Peter "PK" Miller)
onclick="alert('Peter \"PK\" Miller')", but the browser will only parse
onclick="alert('Peter \" and that won't work.
The best solution would be:
<TMPL_VAR ESCAPE=JS ESCAPE=HTML>, but the regex denies that.
(<TMPL_VAR ESCAPE=JSESCAPE=HTML> however works).