#4131: addslashes isn't sufficient to protect literal strings in embedded
JavaScript code
------------------------------------------------------+---------------------
Reporter: Ned Batchelder <[EMAIL PROTECTED]> | Owner:
nobody
Status: new | Component:
Template system
Version: SVN | Resolution:
Keywords: | Stage:
Design decision needed
Has_patch: 1 | Needs_docs:
0
Needs_tests: 0 | Needs_better_patch:
0
------------------------------------------------------+---------------------
Comment (by jdunck):
Sweet, Andy.
FWIW, ECMA 262 7.8.4, to paraphrase, says you can't have a LineTerminator
inside a string:
{{{
SourceCharacter but not double-quote " or backslash \ or LineTerminator \
EscapeSequence
}}}
I'm not sure what to make of that last "\ EscapeSequence".
LineTerminator is defined in 7.3 as LF, CR, LS, PS:
{{{
\u000A Line Feed <LF>
\u000D Carriage Return <CR>
\u2028 Line separator <LS>
\u2029 Paragraph separator <PS>
}}}
In any case, I agree it's a bit ambiguous, and probably isn't a common
issue. I'd much rather see escapejs go in as-is than debate whether it's
completely correct according to a mis-worded spec. At the end of the day,
this is about not breaking web pages and avoiding security problems, which
I'm sure the patch does better than current trunk. :)
Will you bring it up on django-dev, or should I?
--
Ticket URL: <http://code.djangoproject.com/ticket/4131#comment:15>
Django Code <http://code.djangoproject.com/>
The web framework for perfectionists with deadlines
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
