Hi,
I just tried to put a json object inside an attribute an I bumped into
an issue with String#escapeHTML().
The method does escape all the ampersands and the greater/less than
signs, but it does nothing to the quots.
This make the method completely unusable for writing attributes (for
innerHTML use).
Lets get through an example:
var eventMemo = {
aLabel: 'some String with "quotes", \'apostrophes\'...',
otherLabel: 'another String with &ersands and <tags>'
};
//I want this object inside an html attribute, so lets
//make it JSON and escape it:
var attr = Object.toJSON(eventMemo).escapeHTML();
var link = '<a href="javascript:;" class="fireCustomEvent"'+
' data-eventMemo="' + attr + '" > '+
' this link is supposed to fire custom event with memo '+
' read from data-eventMemo attribute '+
'</a>';
//lets see what this link looks like in Firebug:
console.log(link);
The output is:
<a href="javascript:;" class="fireCustomEvent"
data-eventMemo="{"aLabel": "some String with \"quotes\",
'apostrophs'...", "otherLabel": "another String with &ampersands
and <tags>"}" >this link is supposed to fire custom event with
memo read from data-eventMemo attribute</a>
As you can see, the output is completely broken, as the " are not
converted to " and ' to '
One have to append another replaces to properly escape the string:
var attr =
Object.toJSON(eventMemo).escapeHTML().gsub(/"/,'"').gsub(/'/,''');
The example in the documentation of escapeHTML also contains this
error, but no warning about this behaviour.
IMHO:
1. A note should be added to the docs about this issue, and an example
how to properly escape string for use inside attributes;
2. A parameter could be added tho this method which would escape
quotes automaticly.
Or a separate function could be introduced, eg. escapeHTMLquots()
which would do the same unconditionally.
3. Current behaviour of method can not be changed, as this would
create backward incompatibility.
I will place an issue about the docs, and I would like to hear your
opinion about the method modifications.
Best Regards,
SWilk
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Prototype & script.aculo.us" group.
To post to this group, send email to prototype-scriptaculous@googlegroups.com
To unsubscribe from this group, send email to
prototype-scriptaculous+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/prototype-scriptaculous?hl=en
-~----------~----~----~----~------~----~------~--~---
