As for the quotes thing - i meant sending the slash along with it, so
the rendered, parse, printed, whatever text would _look_ like
onclick="function(\"xxx\");" more or less a work around
I agree that it needs to be something specific.. I think escape needs
to be mixed - that way it would be backwards compatible..
echo $this->Form->button('<button>', array('onClick' =>
'function(\'xxx
\')', 'escape' => true));
would still work OR
echo $this->Form->button('<button>', array('onClick' =>
'function(\'xxx
\')', 'escape' => array('name') ));
To specify WHAT gets escaped. - if array, defaults to false for all
others.
Kind of like containable does..
On Aug 6, 4:28 am, drbuzasi <drbuz...@gmail.com> wrote:
> Of course i mean at my first question: ...different options for title/
> selectoptions and for attributes in future versions...
>
> On aug. 6, 13:21, drbuzasi <drbuz...@gmail.com> wrote:
>
>
>
> > I think that's not a problem of php escaping. Using double quotes in
> > javascript isn't a good idea since the code generated (assuming it
> > won't be escaped) would be
> > ... onChange="functon("yyy")"...
> > which is meanless because of the wrapping double quotes.
>
> > IMHO the problem is in form.php and helper.php.
>
> > Button problem:
> > If 'escape' is set true as option in form.php (CakePHP 1.3.3) line
> > 1266 makes title escaped. After then the option remains causing
> > attributes getting escaped as well calling _parseAttributes at line
> > 1271.
> > So title AND attributes will be encoded if 'escape'=>true but none of
> > them while set ti false.
>
> > Select (and $form->input generally) problem:
> > Setting 'escape'=>true HTML encodes only select options because line
> > 1426 saves the value for line 1498 but line 1427 unsets this option.
> > So when calling _parseAttribute at line 1475 this option is not
> > present causing use of default value at line 336 in helper.php.
> > Select attributes will be ALWAYS encoded.
>
> > Question:
> > Should be used different escape options for title/selectoptions in
> > future versions of CakePHP? Or the default value in helper.php line
> > 336 should be set tu false?
>
> > On aug. 6, 06:35, Dan Heberden <danheber...@gmail.com> wrote:
>
> > > Does changing your quote pattern help?
>
> > > echo $this->Form->select('field', array( '1' => '<one>' , '2' =>
> > > '<two>' ),
> > > null, array('onChange' =>
> > > 'function(\"yyy\")'));
>
> > > \" (because php isn't escaping it) will get sent to the output, which
> > > _should_ render
>
> > > onclick="function(\"yyy\")" -
>
> > > I would do some more tests with sending double quotes vs single quotes
> > > for the ent_quote option of the $form helper..
>
> > > On Aug 5, 5:27 pm, drbuzasi <drbuz...@gmail.com> wrote:
>
> > > > If a button is needed that is labeled as '<button>' and has an
> > > > 'onClick' attribute with some javascript containing a text parameter
> > > > the code can't be created since when 'escape' is set to false in
> > > > options (button default) the script is OK but buttons label will not
> > > > be encoded.
> > > > Setting 'escape' to true HTML encodes my script, too, which is wrong.
>
> > > > echo $this->Form->button('<button>', array('onClick => 'function(\'xxx
> > > > \')'));
> > > > results
> > > > <button type="submit" onClick="function('xxx')"><button></button>
>
> > > > echo $this->Form->button('<button>', array('onClick' => 'function(\'xxx
> > > > \')', 'escape' => true));
> > > > results
> > > > <button type="submit"
> > > > onClick="function('xxx')"><button></button>
>
> > > > echo $this->Form->button('<button>', array('onClick' => 'function(\'xxx
> > > > \')', 'escape' => false));
> > > > results
> > > > <button type="submit" onClick="function('xxx')"><button></button>
>
> > > > A similar problem is to create a select field with an 'onChange'
> > > > attribute containing the same javascript as above. By this default of
> > > > 'escape'
> > > > attribute is set true which is of course desirable to have the select
> > > > options HTML encoded. But irrespectively of this attribute the script
> > > > will
> > > > ALWAYS be encoded as shown below so that makes it uninterpretable.
>
> > > > echo $this->Form->select('field', array('1'=>'<one>', '2'=>'<two>'),
> > > > null, array('onChange' => 'function(\'yyy\')'));
> > > > <select name="data[field]" onChange="function('yyy')"
> > > > id="field">
> > > > <option value=""></option>
> > > > <option value="1"><one></option>
> > > > <option value="2"><two></option>
> > > > </select>
>
> > > > echo $this->Form->select('field', array('1'=>'<one>', '2'=>'<two>'),
> > > > null, array('onChange' => 'function(\'yyy\')', 'escape' => true));
> > > > <select name="data[field]" onChange="function('yyy')"
> > > > id="field">
> > > > <option value=""></option>
> > > > <option value="1"><one></option>
> > > > <option value="2"><two></option>
> > > > </select>
>
> > > > echo $this->Form->select('field', array('1'=>'<one>', '2'=>'<two>'),
> > > > null, array('onChange' => 'function(\'yyy\')', 'escape' => false));
> > > > <select name="data[field]" onChange="function('yyy')"
> > > > id="field">
> > > > <option value=""></option>
> > > > <option value="1"><one></option>
> > > > <option value="2"><two></option>
> > > > </select>
>
> > > > Any idea how to correct it? Should a ticket be created according to
> > > > this problem?
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
