#4131: [patch] addslashes isn't sufficient to protect literal strings in
embedded
JavaScript code
---------------------------------------------------+------------------------
Reporter: Ned Batchelder <[EMAIL PROTECTED]> | Owner: adrian
Status: new | Component: Template
system
Version: SVN | Keywords:
Stage: Unreviewed | Has_patch: 0
---------------------------------------------------+------------------------
When creating literal strings in embedded JavaScript code, the addslashes
filter is used to escape characters significant to JavaScript:
<script>
var x = "{{x|addslashes}}";
blah(x);
</script>
But if the variable x includes the string "</script>", then this script
block is ended too early, and the page is broken.
Attached is a patch that also escapes the </ sequence to ensure that this
can't happen.
--
Ticket URL: <http://code.djangoproject.com/ticket/4131>
Django Code <http://code.djangoproject.com/>
The web framework for perfectionists with deadlines
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
