[#MDL-19086] lib/editor/htmlarea/htmlarea.php should escape strings before sending to JS - Moodle Tracker

Details

Type: Bug
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 1.9.6, 2.0
Fix Version/s: 2.0.8, STABLE backlog
Component/s: HTML Editor, Language
Labels:
None

Affected Branches:
MOODLE_19_STABLE, MOODLE_20_STABLE
Fixed Branches:
MOODLE_20_STABLE

Description

I am sure that the strings are all correctly escaped in the language files, and also the language editor correctly escapes when you save ,, but I just had a problem with a site that was sending "OK"-button to Javascript, and it was breaking the editor.

Since we do support local translations, and don't enforce the editor, I believe we should put some smarts into the htmlarea.php to do something like addslashes(stripslashes($string)) before sending it to JS.

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Petr Škoda (skodak) added a comment - 08/May/09 9:01 PM

addslashes is a nono for javascript, we have addslashes_js() for that, I am not sure here, but in this case we might have to use s() or htmlentities() too

Show

Petr Škoda (skodak) added a comment - 08/May/09 9:01 PM addslashes is a nono for javascript, we have addslashes_js() for that, I am not sure here, but in this case we might have to use s() or htmlentities() too

Hide

Permalink

Penny Leach added a comment - 08/May/09 9:19 PM

sure, whatever the correct function is

Show

Penny Leach added a comment - 08/May/09 9:19 PM sure, whatever the correct function is

People

Assignee:

moodle.com

Reporter:

Penny Leach

Participants:

moodle.com, Penny Leach, Petr Škoda (skodak)

Vote (1)

Watch (2)

Dates

Created:

07/May/09 12:21 AM

Updated:

08/Jan/12 9:26 AM