Revision: 1738
http://mrbs.svn.sourceforge.net/mrbs/?rev=1738&view=rev
Author: cimorrison
Date: 2011-01-06 13:46:39 +0000 (Thu, 06 Jan 2011)
Log Message:
-----------
Added escaping of JavaScript strings (see SF Bug ID 3152394)
Modified Paths:
--------------
mrbs/trunk/web/edit_entry.php
mrbs/trunk/web/functions.inc
Modified: mrbs/trunk/web/edit_entry.php
===================================================================
--- mrbs/trunk/web/edit_entry.php 2011-01-06 08:49:07 UTC (rev 1737)
+++ mrbs/trunk/web/edit_entry.php 2011-01-06 13:46:39 UTC (rev 1738)
@@ -463,7 +463,7 @@
if ($key == "area_name")
{
// Enclose strings in quotes
- $value = "'$value'";
+ $value = "'" . escape_js($value) . "'";
}
elseif (in_array($key, $boolean_fields['area']))
{
@@ -821,10 +821,7 @@
{
if ($r['area_id'] == $a['id'])
{
- $clean_room_name = str_replace('\\', '\\\\', $r['room_name']);
// escape backslash
- $clean_room_name = str_replace('"', '\\"', $clean_room_name);
// escape double quotes
- $clean_room_name = str_replace('/', '\\/', $clean_room_name);
// prevent '/' being parsed as markup (eg </p>)
- print "roomsObj.options[$i] = new Option(\"" .
$clean_room_name . "\"," . $r['id'] . ");\n";
+ print "roomsObj.options[$i] = new Option(\"" .
escape_js($r['room_name']) . "\"," . $r['id'] . ");\n";
$i++;
}
}
@@ -894,7 +891,7 @@
?>
option = document.createElement('option');
option.value = <?php echo $a['id'] ?>;
- option_text = document.createTextNode('<?php echo $a['area_name'] ?>');
+ option_text = document.createTextNode('<?php echo
escape_js($a['area_name']) ?>');
<?php
if ($a['id'] == $area_id)
{
Modified: mrbs/trunk/web/functions.inc
===================================================================
--- mrbs/trunk/web/functions.inc 2011-01-06 08:49:07 UTC (rev 1737)
+++ mrbs/trunk/web/functions.inc 2011-01-06 13:46:39 UTC (rev 1738)
@@ -502,6 +502,17 @@
exit;
}
+
+// Escape a PHP string for use in JavaScript
+//
+// Based on a function contributed by kongaspar at gmail dot com at
+// http://www.php.net/manual/function.addcslashes.php
+function escape_js($str)
+{
+ return addcslashes($str, "\\\'\"&\n\r<>");
+}
+
+
// Remove backslash-escape quoting if PHP is configured to do it with
// magic_quotes_gpc. Use this whenever you need the actual value of a GET/POST
// form parameter (which might have special characters) regardless of PHP's
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and,
should the need arise, upgrade to a full multi-node Oracle RAC database
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits
