#7648 closed defect (bug) (invalid)
js_escape() wrongly escapes too many characters
Reported by: | Viper007Bond | Owned by: | azaozz |
---|---|---|---|
Milestone: | Priority: | low | |
Severity: | minor | Version: | 2.6.1 |
Component: | JavaScript | Keywords: | needs-patch needs-testing |
Focuses: | Cc: |
Description
Using js_escape()
, there is no way to output <
, >
, or "
as they are converted to HTML entities.
Example:
<script type="text/javascript"> <?php echo 'alert("' . js_escape('HTML \'for\' "bold": <strong>bold text!</strong>') . '");'; ?> </script>
This is the output:
alert("HTML \'for\' "bold": <strong>bold text!</strong>");
Rather than this as expected:
alert("HTML \'for\' \"bold\": <strong>bold text!</strong>");
Attachments (3)
Change History (23)
#2
follow-up:
↓ 7
@
15 years ago
mmm... recently, I got a validation error due to the fact that one of my scripts contained < rather than <, and " rather than " in a string. Maybe double check the facts, at least on quote chars?
#3
@
15 years ago
@Denis-de-Bernardy: Correct, In HTML Attributes.
However, Not in <script> blocks as presented by Viper007Bond.
However, I think the js_escape() function might be mis-used in this case, In that, I thought it was designed for escaping for attribute-usage, much like attribute_escape().. though i could be wrong.
#6
@
15 years ago
Well it is called js_escape()
for a reason, no? There are other functions out there for escaping HTML attributes and such.
#7
in reply to:
↑ 2
@
15 years ago
Replying to Denis-de-Bernardy:
mmm... recently, I got a validation error due to the fact that one of my scripts contained < rather than <, and " rather than " in a string. Maybe double check the facts, at least on quote chars?
This is because you didn't use CDATA or similiar, which you need to use to ensure validation.
#9
@
15 years ago
See #9650 BTW. Might be worth deprecating js_escape()
in favor of something like esc_js()
.
#13
in reply to:
↑ 11
@
15 years ago
Replying to Denis-de-Bernardy:
patch is b0rke
Only due to esc_js()
. The patch is still valid-ish, it just needs to affect esc_js()
instead now.
#15
@
15 years ago
The js_escape()/esc_js() seem to work as expected in echoed html attributes:
echo 'onclick="' . "if ( confirm('" . esc_js(__("You are about to delete ...
Perhaps it needs an arg to specify whether to convert html special chars to entities.
#16
@
15 years ago
- Keywords needs-patch added; has-patch removed
- Priority changed from normal to low
- Severity changed from normal to minor
@Viper007Bond - still current/needing a new patch, right?
#18
@
15 years ago
- Milestone 2.9 deleted
- Resolution set to invalid
- Status changed from new to closed
Seems to work properly. It is intended for escaping strings used in JS context in a tag attribute, for example:
<a onclick="alert('<?php echo esc_js($my_text); ?>'); return false;" ...
#19
follow-up:
↓ 20
@
15 years ago
We should rename the function to esc_attr_js()
or something then.
#20
in reply to:
↑ 19
@
15 years ago
Replying to Viper007Bond:
We should rename the function to
esc_attr_js()
or something then.
And/or update the phpdoc: "Escapes text strings for echoing in JS, both inline (for example in onclick="...") and inside <script> tag."
Don't escape literal \n's