Yes and no... I would assume that if you said, to pass a string to a js function, that you would mean the entire string, regardless of what the string contains. The fact that it might not be used very often is irrespective of the context of jsstringformat() being to format a string, regardless of what the string contains... If a bug is encountered rarely that doesn't change the condition, except perhaps in the most existential sense... I don't work with CORBA therefore CORBA bugs are not bugs _to_me_. :)
The ability to safely (key word) pass a string to a javascript literal value isn't given by jsstringformat() alone. It succeeds in most but not all cases, hence the bug. In particular this is an issue if you create generic UDFs or Custom Tags intended for general consumption by other developers and which are expected to receive unknown variables which would then be placed in javascript string arguments. If the tag uses jsstringformat() to populate the title of an article and a user enters "the <script>Perils</script> of web programming" (a cute title for a technical article), the expected behavior of the tag (populating the title) will be replaced with a javascript error on the page. Personally I'd call that a bug. That being said, I still occasionally use jsstringformat() unmodified when I expect that a variable might contain a \ but don't ever expect it to contain </script>, for isntance when escaping a file path. > i don't think i'd see that as a bug...i think the function > exists to > safely format content being passed to a JS function. > this, it does. > i'm sure i'll be corrected if i'm wrong...but i don't > think > '</script>' as a string is often passed as an argument to > a function. > I would say that escaping that string would be beyond the > defined > scope of the jsStringFormat() function, and therefore not > in and of > itself, a bug. s. isaac dealey 954.927.5117 new epoch : isn't it time for a change? add features without fixtures with the onTap open source framework http://macromedia.breezecentral.com/p49777853/ http://www.sys-con.com/story/?storyid=44477&DE=1 http://www.sys-con.com/story/?storyid=45569&DE=1 http://www.fusiontap.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193953 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
