#7648 closed defect (bug) (invalid)
js_escape() wrongly escapes too many characters
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | low | Milestone: | |
| Component: | JavaScript | Version: | 2.6.1 |
| Severity: | minor | Keywords: | needs-patch needs-testing |
| Cc: |
Description
Using js_escape(), there is no way to output <, >, or " as they are converted to HTML entities.
Example:
<script type="text/javascript">
<?php
echo 'alert("' . js_escape('HTML \'for\' "bold": <strong>bold text!</strong>') . '");';
?>
</script>
This is the output:
alert("HTML \'for\' "bold": <strong>bold text!</strong>");
Rather than this as expected:
alert("HTML \'for\' \"bold\": <strong>bold text!</strong>");
Attachments (3)
Change History (23)
Viper007Bond — 5 years ago
Viper007Bond — 5 years ago
comment:2
follow-up:
↓ 7
Denis-de-Bernardy — 4 years ago
mmm... recently, I got a validation error due to the fact that one of my scripts contained < rather than <, and " rather than " in a string. Maybe double check the facts, at least on quote chars?
@Denis-de-Bernardy: Correct, In HTML Attributes.
However, Not in <script> blocks as presented by Viper007Bond.
However, I think the js_escape() function might be mis-used in this case, In that, I thought it was designed for escaping for attribute-usage, much like attribute_escape().. though i could be wrong.
- Keywords needs-patch added; has-patch removed
broken patch. :-|
actually, his example seems like one where it actually should get escaped.
comment:6
Viper007Bond — 4 years ago
Well it is called js_escape() for a reason, no? There are other functions out there for escaping HTML attributes and such.
comment:7
in reply to:
↑ 2
Viper007Bond — 4 years ago
Replying to Denis-de-Bernardy:
mmm... recently, I got a validation error due to the fact that one of my scripts contained < rather than <, and " rather than " in a string. Maybe double check the facts, at least on quote chars?
This is because you didn't use CDATA or similiar, which you need to use to ensure validation.
comment:8
Viper007Bond — 4 years ago
- Keywords has-patch needs-testing added; needs-patch removed
comment:9
Viper007Bond — 4 years ago
See #9650 BTW. Might be worth deprecating js_escape() in favor of something like esc_js().
comment:10
Viper007Bond — 4 years ago
- Component changed from General to Formatting
- Owner anonymous deleted
comment:11
follow-up:
↓ 13
Denis-de-Bernardy — 4 years ago
patch is b0rke
see also #7041
comment:13
in reply to:
↑ 11
Viper007Bond — 4 years ago
Replying to Denis-de-Bernardy:
patch is b0rke
Only due to esc_js(). The patch is still valid-ish, it just needs to affect esc_js() instead now.
- Component changed from Formatting to JavaScript
- Owner set to azaozz
comment:15
azaozz — 4 years ago
The js_escape()/esc_js() seem to work as expected in echoed html attributes:
echo 'onclick="' . "if ( confirm('" . esc_js(__("You are about to delete ...
Perhaps it needs an arg to specify whether to convert html special chars to entities.
- Keywords needs-patch added; has-patch removed
- Priority changed from normal to low
- Severity changed from normal to minor
@Viper007Bond - still current/needing a new patch, right?
- Milestone changed from 2.8 to 2.9
punting per IRC discusion
comment:18
azaozz — 4 years ago
- Milestone 2.9 deleted
- Resolution set to invalid
- Status changed from new to closed
Seems to work properly. It is intended for escaping strings used in JS context in a tag attribute, for example:
<a onclick="alert('<?php echo esc_js($my_text); ?>'); return false;" ...
comment:19
follow-up:
↓ 20
Viper007Bond — 3 years ago
We should rename the function to esc_attr_js() or something then.
comment:20
in reply to:
↑ 19
nacin — 3 years ago
Replying to Viper007Bond:
We should rename the function to esc_attr_js() or something then.
And/or update the phpdoc: "Escapes text strings for echoing in JS, both inline (for example in onclick="...") and inside <script> tag."
Don't escape literal \n's