Filebrowser: properly escape JS config options

[cmb]

Hello Community,

I've just stumbled upon some help texts of the filebrowser, e.g.

Code: Select all

$plugin_tx['filebrowser']['cf_confirm_delete']="This text is used in javascript context: Do not use \" or '";

IMO it is ridiculous to tell users to eschew some characters instead of the software using proper escaping, when necessary. In this case the following might already suffice:

Code: Select all

addcslashes($string, '\\"')

Christoph

[cmb]

I had a closer look at the issue. The problem is that the three respective language strings are used as literal JS strings inside event handler attributes, e.g. (simplified)

Code: Select all

onsubmit="return confirm('Really delete?')"

So here we would have to escape the special HTML characters as HTML entities and apostrophes as \' (' is not valid under HTML 4.01). If there was no string literal, we wouldn't have to escape apostrophes, and could simple use XH_hsc() (if that was available in the editorbrowser. ).

So for now I've implemented a manual escaping (r1434).

For XH 1.7 we should really clean that up, though, and avoid using string literals in event handler attributes (or even event handler attributes at all). The language strings could be defined as properties of the FILEBROWSER object (escaped with json_encode()), and the actual filenames can be read from the adjacent elements -- that saves some bandwidth and the quoting hell.