Re: bug with HTML entity encoding of attribute of form elements

[Dan Heberden]

As for the quotes thing - i meant sending the slash along with it, so
the rendered, parse, printed, whatever text would _look_ like

onclick="function(\"xxx\");"   more or less a work around

I agree that it needs to be something specific.. I think escape needs
to be mixed - that way it would be backwards compatible..

echo $this->Form->button('', array('onClick' =>
'function(\'xxx
\')', 'escape' => true));

would still work OR

echo $this->Form->button('', array('onClick' =>
'function(\'xxx
\')', 'escape' => array('name') ));

To specify WHAT gets escaped.  - if array, defaults to false for all
others.

Kind of like containable does..




On Aug 6, 4:28 am, drbuzasi  wrote:
> Of course i mean at my first question: ...different options for title/
> selectoptions and for attributes in future versions...
>
> On aug. 6, 13:21, drbuzasi  wrote:
>
>
>
> > I think that's not a problem of php escaping. Using double quotes in
> > javascript isn't a good idea since the code generated (assuming it
> > won't be escaped) would be
> > ... onChange="functon("yyy")"...
> > which is meanless because of the wrapping double quotes.
>
> > IMHO the problem is in form.php and helper.php.
>
> > Button problem:
> > If 'escape' is set true as option in form.php (CakePHP 1.3.3) line
> > 1266 makes title escaped. After then the option remains causing
> > attributes getting escaped as well calling _parseAttributes at line
> > 1271.
> > So title AND attributes will be encoded if 'escape'=>true but none of
> > them while set ti false.
>
> > Select (and $form->input generally) problem:
> > Setting 'escape'=>true HTML encodes only select options because line
> > 1426 saves the value for line 1498 but line 1427 unsets this option.
> > So when calling _parseAttribute at line 1475 this option is not
> > present causing use of default value at line 336 in helper.php.
> > Select attributes will be ALWAYS encoded.
>
> > Question:
> > Should be used different escape options for title/selectoptions in
> > future versions of CakePHP? Or the default value in helper.php line
> > 336 should be set tu false?
>
> > On aug. 6, 06:35, Dan Heberden  wrote:
>
> > > Does changing your quote pattern help?
>
> > > echo $this->Form->select('field', array( '1' => '' , '2' =>
> > > '' ),
> > >                                           null, array('onChange' =>
> > > 'function(\"yyy\")'));
>
> > > \" (because php isn't escaping it) will get sent to the output, which
> > > _should_ render
>
> > > onclick="function(\"yyy\")" -
>
> > > I would do some more tests with sending double quotes vs single quotes
> > > for the ent_quote option of the $form helper..
>
> > > On Aug 5, 5:27 pm, drbuzasi  wrote:
>
> > > > If a button is needed that is labeled as '' and has an
> > > > 'onClick' attribute with some javascript containing a text parameter
> > > > the code can't be created since when 'escape' is set to false in
> > > > options (button default) the script is OK but buttons label will not
> > > > be encoded.
> > > > Setting 'escape' to true HTML encodes my script, too, which is wrong.
>
> > > > echo $this->Form->button('', array('onClick => 'function(\'xxx
> > > > \')'));
> > > > results
> > > > 
>
> > > > echo $this->Form->button('', array('onClick' => 'function(\'xxx
> > > > \')', 'escape' => true));
> > > > results
> > > >  > > > onClick="function('xxx')">
>
> > > > echo $this->Form->button('', array('onClick' => 'function(\'xxx
> > > > \')', 'escape' => false));
> > > > results
> > > > 
>
> > > > A similar problem is to create a select field with an 'onChange'
> > > > attribute containing the same javascript as above. By this default of
> > > > 'escape'
> > > > attribute is set true which is of course desirable to have the select
> > > > options HTML encoded. But irrespectively of this attribute the script
> > > > will
> > > > ALWAYS be encoded as shown below so that makes it uninterpretable.
>
> > > > echo $this->Form->select('field', array('1'=>'', '2'=>''),
> > > > null, array('onChange' => 'function(\'yyy\')'));
> > > >  > > > id="field">
> > > > 
> > > > 
> > > > 
> > > > 
>
> > > > echo $this->Form->select('field', array('1'=>'', '2'=>''),
> > > > null, array('onChange' => 'function(\'yyy\')', 'escape' => true));
> > > >  > > > id="field">
> > > > 
> > > > 
> > > > 
> > > > 
>
> > > > echo $this->Form->select('field', array('1'=>'', '2'=>''),
> > > > null, array('onChange' => 'function(\'yyy\')', 'escape' => false));
> > > >  > > > id="field">
> > > > 
> > > > 
> > > > 
> > > > 
>
> > > > Any idea how to correct it? Should a ticket be created according to
> > > > this problem?

Check out the new CakePHP Questions site http://cakeqs.org and help others with 
their CakePHP related questions.

You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For

Re: bug with HTML entity encoding of attribute of form elements

[drbuzasi]

Of course i mean at my first question: ...different options for title/
selectoptions and for attributes in future versions...


On aug. 6, 13:21, drbuzasi  wrote:
> I think that's not a problem of php escaping. Using double quotes in
> javascript isn't a good idea since the code generated (assuming it
> won't be escaped) would be
> ... onChange="functon("yyy")"...
> which is meanless because of the wrapping double quotes.
>
> IMHO the problem is in form.php and helper.php.
>
> Button problem:
> If 'escape' is set true as option in form.php (CakePHP 1.3.3) line
> 1266 makes title escaped. After then the option remains causing
> attributes getting escaped as well calling _parseAttributes at line
> 1271.
> So title AND attributes will be encoded if 'escape'=>true but none of
> them while set ti false.
>
> Select (and $form->input generally) problem:
> Setting 'escape'=>true HTML encodes only select options because line
> 1426 saves the value for line 1498 but line 1427 unsets this option.
> So when calling _parseAttribute at line 1475 this option is not
> present causing use of default value at line 336 in helper.php.
> Select attributes will be ALWAYS encoded.
>
> Question:
> Should be used different escape options for title/selectoptions in
> future versions of CakePHP? Or the default value in helper.php line
> 336 should be set tu false?
>
> On aug. 6, 06:35, Dan Heberden  wrote:
>
> > Does changing your quote pattern help?
>
> > echo $this->Form->select('field', array( '1' => '' , '2' =>
> > '' ),
> >                                           null, array('onChange' =>
> > 'function(\"yyy\")'));
>
> > \" (because php isn't escaping it) will get sent to the output, which
> > _should_ render
>
> > onclick="function(\"yyy\")" -
>
> > I would do some more tests with sending double quotes vs single quotes
> > for the ent_quote option of the $form helper..
>
> > On Aug 5, 5:27 pm, drbuzasi  wrote:
>
> > > If a button is needed that is labeled as '' and has an
> > > 'onClick' attribute with some javascript containing a text parameter
> > > the code can't be created since when 'escape' is set to false in
> > > options (button default) the script is OK but buttons label will not
> > > be encoded.
> > > Setting 'escape' to true HTML encodes my script, too, which is wrong.
>
> > > echo $this->Form->button('', array('onClick => 'function(\'xxx
> > > \')'));
> > > results
> > > 
>
> > > echo $this->Form->button('', array('onClick' => 'function(\'xxx
> > > \')', 'escape' => true));
> > > results
> > >  > > onClick="function('xxx')">
>
> > > echo $this->Form->button('', array('onClick' => 'function(\'xxx
> > > \')', 'escape' => false));
> > > results
> > > 
>
> > > A similar problem is to create a select field with an 'onChange'
> > > attribute containing the same javascript as above. By this default of
> > > 'escape'
> > > attribute is set true which is of course desirable to have the select
> > > options HTML encoded. But irrespectively of this attribute the script
> > > will
> > > ALWAYS be encoded as shown below so that makes it uninterpretable.
>
> > > echo $this->Form->select('field', array('1'=>'', '2'=>''),
> > > null, array('onChange' => 'function(\'yyy\')'));
> > >  > > id="field">
> > > 
> > > 
> > > 
> > > 
>
> > > echo $this->Form->select('field', array('1'=>'', '2'=>''),
> > > null, array('onChange' => 'function(\'yyy\')', 'escape' => true));
> > >  > > id="field">
> > > 
> > > 
> > > 
> > > 
>
> > > echo $this->Form->select('field', array('1'=>'', '2'=>''),
> > > null, array('onChange' => 'function(\'yyy\')', 'escape' => false));
> > >  > > id="field">
> > > 
> > > 
> > > 
> > > 
>
> > > Any idea how to correct it? Should a ticket be created according to
> > > this problem?

Check out the new CakePHP Questions site http://cakeqs.org and help others with 
their CakePHP related questions.

You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en

Re: bug with HTML entity encoding of attribute of form elements

[drbuzasi]

I think that's not a problem of php escaping. Using double quotes in
javascript isn't a good idea since the code generated (assuming it
won't be escaped) would be
... onChange="functon("yyy")"...
which is meanless because of the wrapping double quotes.

IMHO the problem is in form.php and helper.php.

Button problem:
If 'escape' is set true as option in form.php (CakePHP 1.3.3) line
1266 makes title escaped. After then the option remains causing
attributes getting escaped as well calling _parseAttributes at line
1271.
So title AND attributes will be encoded if 'escape'=>true but none of
them while set ti false.

Select (and $form->input generally) problem:
Setting 'escape'=>true HTML encodes only select options because line
1426 saves the value for line 1498 but line 1427 unsets this option.
So when calling _parseAttribute at line 1475 this option is not
present causing use of default value at line 336 in helper.php.
Select attributes will be ALWAYS encoded.

Question:
Should be used different escape options for title/selectoptions in
future versions of CakePHP? Or the default value in helper.php line
336 should be set tu false?

On aug. 6, 06:35, Dan Heberden  wrote:
> Does changing your quote pattern help?
>
> echo $this->Form->select('field', array( '1' => '' , '2' =>
> '' ),
>                                           null, array('onChange' =>
> 'function(\"yyy\")'));
>
> \" (because php isn't escaping it) will get sent to the output, which
> _should_ render
>
> onclick="function(\"yyy\")" -
>
> I would do some more tests with sending double quotes vs single quotes
> for the ent_quote option of the $form helper..
>
> On Aug 5, 5:27 pm, drbuzasi  wrote:
>
> > If a button is needed that is labeled as '' and has an
> > 'onClick' attribute with some javascript containing a text parameter
> > the code can't be created since when 'escape' is set to false in
> > options (button default) the script is OK but buttons label will not
> > be encoded.
> > Setting 'escape' to true HTML encodes my script, too, which is wrong.
>
> > echo $this->Form->button('', array('onClick => 'function(\'xxx
> > \')'));
> > results
> > 
>
> > echo $this->Form->button('', array('onClick' => 'function(\'xxx
> > \')', 'escape' => true));
> > results
> >  > onClick="function('xxx')">
>
> > echo $this->Form->button('', array('onClick' => 'function(\'xxx
> > \')', 'escape' => false));
> > results
> > 
>
> > A similar problem is to create a select field with an 'onChange'
> > attribute containing the same javascript as above. By this default of
> > 'escape'
> > attribute is set true which is of course desirable to have the select
> > options HTML encoded. But irrespectively of this attribute the script
> > will
> > ALWAYS be encoded as shown below so that makes it uninterpretable.
>
> > echo $this->Form->select('field', array('1'=>'', '2'=>''),
> > null, array('onChange' => 'function(\'yyy\')'));
> >  > id="field">
> > 
> > 
> > 
> > 
>
> > echo $this->Form->select('field', array('1'=>'', '2'=>''),
> > null, array('onChange' => 'function(\'yyy\')', 'escape' => true));
> >  > id="field">
> > 
> > 
> > 
> > 
>
> > echo $this->Form->select('field', array('1'=>'', '2'=>''),
> > null, array('onChange' => 'function(\'yyy\')', 'escape' => false));
> >  > id="field">
> > 
> > 
> > 
> > 
>
> > Any idea how to correct it? Should a ticket be created according to
> > this problem?

Check out the new CakePHP Questions site http://cakeqs.org and help others with 
their CakePHP related questions.

You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en

Re: bug with HTML entity encoding of attribute of form elements

[Dan Heberden]

Does changing your quote pattern help?

echo $this->Form->select('field', array( '1' => '' , '2' =>
'' ),
  null, array('onChange' =>
'function(\"yyy\")'));

\" (because php isn't escaping it) will get sent to the output, which
_should_ render

onclick="function(\"yyy\")" -

I would do some more tests with sending double quotes vs single quotes
for the ent_quote option of the $form helper..



On Aug 5, 5:27 pm, drbuzasi  wrote:
> If a button is needed that is labeled as '' and has an
> 'onClick' attribute with some javascript containing a text parameter
> the code can't be created since when 'escape' is set to false in
> options (button default) the script is OK but buttons label will not
> be encoded.
> Setting 'escape' to true HTML encodes my script, too, which is wrong.
>
> echo $this->Form->button('', array('onClick => 'function(\'xxx
> \')'));
> results
> 
>
> echo $this->Form->button('', array('onClick' => 'function(\'xxx
> \')', 'escape' => true));
> results
>  onClick="function('xxx')">
>
> echo $this->Form->button('', array('onClick' => 'function(\'xxx
> \')', 'escape' => false));
> results
> 
>
> A similar problem is to create a select field with an 'onChange'
> attribute containing the same javascript as above. By this default of
> 'escape'
> attribute is set true which is of course desirable to have the select
> options HTML encoded. But irrespectively of this attribute the script
> will
> ALWAYS be encoded as shown below so that makes it uninterpretable.
>
> echo $this->Form->select('field', array('1'=>'', '2'=>''),
> null, array('onChange' => 'function(\'yyy\')'));
>  id="field">
> 
> 
> 
> 
>
> echo $this->Form->select('field', array('1'=>'', '2'=>''),
> null, array('onChange' => 'function(\'yyy\')', 'escape' => true));
>  id="field">
> 
> 
> 
> 
>
> echo $this->Form->select('field', array('1'=>'', '2'=>''),
> null, array('onChange' => 'function(\'yyy\')', 'escape' => false));
>  id="field">
> 
> 
> 
> 
>
> Any idea how to correct it? Should a ticket be created according to
> this problem?

Check out the new CakePHP Questions site http://cakeqs.org and help others with 
their CakePHP related questions.

You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en

bug with HTML entity encoding of attribute of form elements

[drbuzasi]

If a button is needed that is labeled as '' and has an
'onClick' attribute with some javascript containing a text parameter
the code can't be created since when 'escape' is set to false in
options (button default) the script is OK but buttons label will not
be encoded.
Setting 'escape' to true HTML encodes my script, too, which is wrong.

echo $this->Form->button('', array('onClick => 'function(\'xxx
\')'));
results


echo $this->Form->button('', array('onClick' => 'function(\'xxx
\')', 'escape' => true));
results


echo $this->Form->button('', array('onClick' => 'function(\'xxx
\')', 'escape' => false));
results



A similar problem is to create a select field with an 'onChange'
attribute containing the same javascript as above. By this default of
'escape'
attribute is set true which is of course desirable to have the select
options HTML encoded. But irrespectively of this attribute the script
will
ALWAYS be encoded as shown below so that makes it uninterpretable.

echo $this->Form->select('field', array('1'=>'', '2'=>''),
null, array('onChange' => 'function(\'yyy\')'));






echo $this->Form->select('field', array('1'=>'', '2'=>''),
null, array('onChange' => 'function(\'yyy\')', 'escape' => true));






echo $this->Form->select('field', array('1'=>'', '2'=>''),
null, array('onChange' => 'function(\'yyy\')', 'escape' => false));






Any idea how to correct it? Should a ticket be created according to
this problem?

Check out the new CakePHP Questions site http://cakeqs.org and help others with 
their CakePHP related questions.

You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en