Description: ------------ In the JS array created to govern the option list, variable content is not escaped, but should. Reproduce code: --------------- htpp://www.auderghem-analytica.com/download/QF_bug_test_case.txt Expected result: ---------------- var author_1 = new Array(); author_1[0] = new Array('1', 'O\'Reilly'); Actual result: -------------- var author_1 = new Array(); author_1[0] = new Array('1', 'O'Reilly'); // breaks JS!! I suggest the following fix: line 155 of HTML/Quickform/hierselect.php: replace: $this->_js .= $varName."[".$i."] = new Array('".$value."', '".$text."');\n"; by: $this->_js .= $varName."[".$i."] = new Array('".$value."', '".addslashes( $text )."');\n";

I think the standard approach used in QuickForm JS generation should do the trick here...

This bug has been fixed in CVS. In case this was a documentation problem, the fix will show up at the end of next Sunday (CET) on pear.php.net. In case this was a pear.php.net website problem, the change will show up on the website in short time. Thank you for the report, and for helping us make PEAR better.

I have a similar problem, tested on rev. 1.12 of hierselect.php. I can't use double quotes (") in options names below the first level deep, because I'm getting javascript error and hierselect fails to work. Reproduce code: --------------- require_once 'HTML/QuickForm.php'; $form = new HTML_QuickForm('bugForm'); $select1[0] = 'foo'; $select2[0][0] = '"bar"'; $sel =& $form->addElement('hierselect', 'bug', 'Bug:'); $sel->setOptions(array($select1, $select2)); $form->display(); Expected result: ---------------- hs_bug_0 = { "0":"\"bar\"" } Actual result: -------------- hs_bug_0 = { "0":""bar"" } Possible solution: ------------------ On line 336 of file hierselect.php: $js .= '"'.$optValue.'":"'.$options.'"'; do some "addslashing" of $options: $js .= '"'.$optValue.'":"'.addslashes($options).'"';