I think that's not a problem of php escaping. Using double quotes in
javascript isn't a good idea since the code generated (assuming it
won't be escaped) would be
... onChange="functon("yyy")"...
which is meanless because of the wrapping double quotes.
IMHO the problem is in form.php and helper.php.
Button problem:
If 'escape' is set true as option in form.php (CakePHP 1.3.3) line
1266 makes title escaped. After then the option remains causing
attributes getting escaped as well calling _parseAttributes at line
1271.
So title AND attributes will be encoded if 'escape'=>true but none of
them while set ti false.
Select (and $form->input generally) problem:
Setting 'escape'=>true HTML encodes only select options because line
1426 saves the value for line 1498 but line 1427 unsets this option.
So when calling _parseAttribute at line 1475 this option is not
present causing use of default value at line 336 in helper.php.
Select attributes will be ALWAYS encoded.
Question:
Should be used different escape options for title/selectoptions in
future versions of CakePHP? Or the default value in helper.php line
336 should be set tu false?
On aug. 6, 06:35, Dan Heberden <danheber...@gmail.com> wrote:
> Does changing your quote pattern help?
>
> echo $this->Form->select('field', array( '1' => '<one>' , '2' =>
> '<two>' ),
> null, array('onChange' =>
> 'function(\"yyy\")'));
>
> \" (because php isn't escaping it) will get sent to the output, which
> _should_ render
>
> onclick="function(\"yyy\")" -
>
> I would do some more tests with sending double quotes vs single quotes
> for the ent_quote option of the $form helper..
>
> On Aug 5, 5:27 pm, drbuzasi <drbuz...@gmail.com> wrote:
>
> > If a button is needed that is labeled as '<button>' and has an
> > 'onClick' attribute with some javascript containing a text parameter
> > the code can't be created since when 'escape' is set to false in
> > options (button default) the script is OK but buttons label will not
> > be encoded.
> > Setting 'escape' to true HTML encodes my script, too, which is wrong.
>
> > echo $this->Form->button('<button>', array('onClick => 'function(\'xxx
> > \')'));
> > results
> > <button type="submit" onClick="function('xxx')"><button></button>
>
> > echo $this->Form->button('<button>', array('onClick' => 'function(\'xxx
> > \')', 'escape' => true));
> > results
> > <button type="submit"
> > onClick="function('xxx')"><button></button>
>
> > echo $this->Form->button('<button>', array('onClick' => 'function(\'xxx
> > \')', 'escape' => false));
> > results
> > <button type="submit" onClick="function('xxx')"><button></button>
>
> > A similar problem is to create a select field with an 'onChange'
> > attribute containing the same javascript as above. By this default of
> > 'escape'
> > attribute is set true which is of course desirable to have the select
> > options HTML encoded. But irrespectively of this attribute the script
> > will
> > ALWAYS be encoded as shown below so that makes it uninterpretable.
>
> > echo $this->Form->select('field', array('1'=>'<one>', '2'=>'<two>'),
> > null, array('onChange' => 'function(\'yyy\')'));
> > <select name="data[field]" onChange="function('yyy')"
> > id="field">
> > <option value=""></option>
> > <option value="1"><one></option>
> > <option value="2"><two></option>
> > </select>
>
> > echo $this->Form->select('field', array('1'=>'<one>', '2'=>'<two>'),
> > null, array('onChange' => 'function(\'yyy\')', 'escape' => true));
> > <select name="data[field]" onChange="function('yyy')"
> > id="field">
> > <option value=""></option>
> > <option value="1"><one></option>
> > <option value="2"><two></option>
> > </select>
>
> > echo $this->Form->select('field', array('1'=>'<one>', '2'=>'<two>'),
> > null, array('onChange' => 'function(\'yyy\')', 'escape' => false));
> > <select name="data[field]" onChange="function('yyy')"
> > id="field">
> > <option value=""></option>
> > <option value="1"><one></option>
> > <option value="2"><two></option>
> > </select>
>
> > Any idea how to correct it? Should a ticket be created according to
> > this problem?
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
