Re: bug with HTML entity encoding of attribute of form elements
As for the quotes thing - i meant sending the slash along with it, so the rendered, parse, printed, whatever text would _look_ like onclick="function(\"xxx\");" more or less a work around I agree that it needs to be something specific.. I think escape needs to be mixed - that way it would be backwards compatible.. echo $this->Form->button('', array('onClick' => 'function(\'xxx \')', 'escape' => true)); would still work OR echo $this->Form->button('', array('onClick' => 'function(\'xxx \')', 'escape' => array('name') )); To specify WHAT gets escaped. - if array, defaults to false for all others. Kind of like containable does.. On Aug 6, 4:28 am, drbuzasi wrote: > Of course i mean at my first question: ...different options for title/ > selectoptions and for attributes in future versions... > > On aug. 6, 13:21, drbuzasi wrote: > > > > > I think that's not a problem of php escaping. Using double quotes in > > javascript isn't a good idea since the code generated (assuming it > > won't be escaped) would be > > ... onChange="functon("yyy")"... > > which is meanless because of the wrapping double quotes. > > > IMHO the problem is in form.php and helper.php. > > > Button problem: > > If 'escape' is set true as option in form.php (CakePHP 1.3.3) line > > 1266 makes title escaped. After then the option remains causing > > attributes getting escaped as well calling _parseAttributes at line > > 1271. > > So title AND attributes will be encoded if 'escape'=>true but none of > > them while set ti false. > > > Select (and $form->input generally) problem: > > Setting 'escape'=>true HTML encodes only select options because line > > 1426 saves the value for line 1498 but line 1427 unsets this option. > > So when calling _parseAttribute at line 1475 this option is not > > present causing use of default value at line 336 in helper.php. > > Select attributes will be ALWAYS encoded. > > > Question: > > Should be used different escape options for title/selectoptions in > > future versions of CakePHP? Or the default value in helper.php line > > 336 should be set tu false? > > > On aug. 6, 06:35, Dan Heberden wrote: > > > > Does changing your quote pattern help? > > > > echo $this->Form->select('field', array( '1' => '' , '2' => > > > '' ), > > > null, array('onChange' => > > > 'function(\"yyy\")')); > > > > \" (because php isn't escaping it) will get sent to the output, which > > > _should_ render > > > > onclick="function(\"yyy\")" - > > > > I would do some more tests with sending double quotes vs single quotes > > > for the ent_quote option of the $form helper.. > > > > On Aug 5, 5:27 pm, drbuzasi wrote: > > > > > If a button is needed that is labeled as '' and has an > > > > 'onClick' attribute with some javascript containing a text parameter > > > > the code can't be created since when 'escape' is set to false in > > > > options (button default) the script is OK but buttons label will not > > > > be encoded. > > > > Setting 'escape' to true HTML encodes my script, too, which is wrong. > > > > > echo $this->Form->button('', array('onClick => 'function(\'xxx > > > > \')')); > > > > results > > > > > > > > > echo $this->Form->button('', array('onClick' => 'function(\'xxx > > > > \')', 'escape' => true)); > > > > results > > > > > > > onClick="function('xxx')">
Re: bug with HTML entity encoding of attribute of form elements
Of course i mean at my first question: ...different options for title/ selectoptions and for attributes in future versions... On aug. 6, 13:21, drbuzasi wrote: > I think that's not a problem of php escaping. Using double quotes in > javascript isn't a good idea since the code generated (assuming it > won't be escaped) would be > ... onChange="functon("yyy")"... > which is meanless because of the wrapping double quotes. > > IMHO the problem is in form.php and helper.php. > > Button problem: > If 'escape' is set true as option in form.php (CakePHP 1.3.3) line > 1266 makes title escaped. After then the option remains causing > attributes getting escaped as well calling _parseAttributes at line > 1271. > So title AND attributes will be encoded if 'escape'=>true but none of > them while set ti false. > > Select (and $form->input generally) problem: > Setting 'escape'=>true HTML encodes only select options because line > 1426 saves the value for line 1498 but line 1427 unsets this option. > So when calling _parseAttribute at line 1475 this option is not > present causing use of default value at line 336 in helper.php. > Select attributes will be ALWAYS encoded. > > Question: > Should be used different escape options for title/selectoptions in > future versions of CakePHP? Or the default value in helper.php line > 336 should be set tu false? > > On aug. 6, 06:35, Dan Heberden wrote: > > > Does changing your quote pattern help? > > > echo $this->Form->select('field', array( '1' => '' , '2' => > > '' ), > > null, array('onChange' => > > 'function(\"yyy\")')); > > > \" (because php isn't escaping it) will get sent to the output, which > > _should_ render > > > onclick="function(\"yyy\")" - > > > I would do some more tests with sending double quotes vs single quotes > > for the ent_quote option of the $form helper.. > > > On Aug 5, 5:27 pm, drbuzasi wrote: > > > > If a button is needed that is labeled as '' and has an > > > 'onClick' attribute with some javascript containing a text parameter > > > the code can't be created since when 'escape' is set to false in > > > options (button default) the script is OK but buttons label will not > > > be encoded. > > > Setting 'escape' to true HTML encodes my script, too, which is wrong. > > > > echo $this->Form->button('', array('onClick => 'function(\'xxx > > > \')')); > > > results > > > > > > > echo $this->Form->button('', array('onClick' => 'function(\'xxx > > > \')', 'escape' => true)); > > > results > > > > > onClick="function('xxx')">
Re: bug with HTML entity encoding of attribute of form elements
I think that's not a problem of php escaping. Using double quotes in javascript isn't a good idea since the code generated (assuming it won't be escaped) would be ... onChange="functon("yyy")"... which is meanless because of the wrapping double quotes. IMHO the problem is in form.php and helper.php. Button problem: If 'escape' is set true as option in form.php (CakePHP 1.3.3) line 1266 makes title escaped. After then the option remains causing attributes getting escaped as well calling _parseAttributes at line 1271. So title AND attributes will be encoded if 'escape'=>true but none of them while set ti false. Select (and $form->input generally) problem: Setting 'escape'=>true HTML encodes only select options because line 1426 saves the value for line 1498 but line 1427 unsets this option. So when calling _parseAttribute at line 1475 this option is not present causing use of default value at line 336 in helper.php. Select attributes will be ALWAYS encoded. Question: Should be used different escape options for title/selectoptions in future versions of CakePHP? Or the default value in helper.php line 336 should be set tu false? On aug. 6, 06:35, Dan Heberden wrote: > Does changing your quote pattern help? > > echo $this->Form->select('field', array( '1' => '' , '2' => > '' ), > null, array('onChange' => > 'function(\"yyy\")')); > > \" (because php isn't escaping it) will get sent to the output, which > _should_ render > > onclick="function(\"yyy\")" - > > I would do some more tests with sending double quotes vs single quotes > for the ent_quote option of the $form helper.. > > On Aug 5, 5:27 pm, drbuzasi wrote: > > > If a button is needed that is labeled as '' and has an > > 'onClick' attribute with some javascript containing a text parameter > > the code can't be created since when 'escape' is set to false in > > options (button default) the script is OK but buttons label will not > > be encoded. > > Setting 'escape' to true HTML encodes my script, too, which is wrong. > > > echo $this->Form->button('', array('onClick => 'function(\'xxx > > \')')); > > results > > > > > echo $this->Form->button('', array('onClick' => 'function(\'xxx > > \')', 'escape' => true)); > > results > > > onClick="function('xxx')">
Re: bug with HTML entity encoding of attribute of form elements
Does changing your quote pattern help? echo $this->Form->select('field', array( '1' => '' , '2' => '' ), null, array('onChange' => 'function(\"yyy\")')); \" (because php isn't escaping it) will get sent to the output, which _should_ render onclick="function(\"yyy\")" - I would do some more tests with sending double quotes vs single quotes for the ent_quote option of the $form helper.. On Aug 5, 5:27 pm, drbuzasi wrote: > If a button is needed that is labeled as '' and has an > 'onClick' attribute with some javascript containing a text parameter > the code can't be created since when 'escape' is set to false in > options (button default) the script is OK but buttons label will not > be encoded. > Setting 'escape' to true HTML encodes my script, too, which is wrong. > > echo $this->Form->button('', array('onClick => 'function(\'xxx > \')')); > results > > > echo $this->Form->button('', array('onClick' => 'function(\'xxx > \')', 'escape' => true)); > results > onClick="function('xxx')">
bug with HTML entity encoding of attribute of form elements
If a button is needed that is labeled as '' and has an 'onClick' attribute with some javascript containing a text parameter the code can't be created since when 'escape' is set to false in options (button default) the script is OK but buttons label will not be encoded. Setting 'escape' to true HTML encodes my script, too, which is wrong. echo $this->Form->button('', array('onClick => 'function(\'xxx \')')); results echo $this->Form->button('', array('onClick' => 'function(\'xxx \')', 'escape' => true)); results