[Jifty-commit] r3168 - jifty/trunk/lib/Jifty/Web/Form

jifty-commit at lists.jifty.org jifty-commit at lists.jifty.org
Thu Apr 26 08:59:35 EDT 2007


Author: audreyt
Date: Thu Apr 26 08:59:34 2007
New Revision: 3168

Modified:
   jifty/trunk/lib/Jifty/Web/Form/Element.pm

Log:
* Jifty::Web::Form::Element - All direct-javascript-injection into HTML 
  needs to be properly HTML escaped.  This fixed the case where there are
  e.g. double quotes and ampersands in prompt()/keybinding data, as well
  as make the bogus-Unicode-double-decoding bug go away in IE.

* Also, prompt() support was broken in IE as clicking "cancel" will still
  submit the action anyway; an "Event.stop(event);" corrected this. 


Modified: jifty/trunk/lib/Jifty/Web/Form/Element.pm
==============================================================================
--- jifty/trunk/lib/Jifty/Web/Form/Element.pm	(original)
+++ jifty/trunk/lib/Jifty/Web/Form/Element.pm	Thu Apr 26 08:59:34 2007
@@ -309,11 +309,11 @@
         my $string = join ";", (grep {not ref $_} (ref $value eq "ARRAY" ? @{$value} : ($value)));
         if (@fragments or %actions) {
 
-            my $update = "update( ". Jifty::JSON::objToJson( {actions => \%actions, fragments => \@fragments }, {singlequote => 1}) .", this );";
+            my $update = Jifty->web->escape("update( ". Jifty::JSON::objToJson( {actions => \%actions, fragments => \@fragments }, {singlequote => 1}) .", this );");
             $string .= $self->javascript_preempt ? "return $update" : "$update; return true;";
         }
         if ($confirm) {
-            $string = "if(!confirm(" . Jifty::JSON::objToJson($confirm, {singlequote => 1}) . ")) return false;" . $string;
+            $string = Jifty->web->escape("if(!confirm(" . Jifty::JSON::objToJson($confirm, {singlequote => 1}) . ")) { Event.stop(event); return false }") . $string;
         }
         $response .= qq| $trigger="$string"|;
     }
@@ -389,7 +389,7 @@
     Jifty->web->out(
         '<script type="text/javascript"><!--' .
         "\n" .
-        $self->key_binding_javascript .
+        Jifty->web->escape($self->key_binding_javascript).
         "\n" .
         "--></script>");
     return '';


More information about the Jifty-commit mailing list