Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 3.2.14

Bug #328 hierselect: javascript does not escape quotes (but should)
Submitted: 2003-11-30 11:37 UTC
From: ignatius dot reilly at free dot fr Assigned: mansion
Status: Closed Package: HTML_QuickForm
PHP Version: 4.3.3 OS: Windows 2000
Roadmaps: (Not assigned)    

 [2003-11-30 11:37 UTC] ignatius dot reilly at free dot fr
Description: ------------ In the JS array created to govern the option list, variable content is not escaped, but should. Reproduce code: --------------- htpp:// Expected result: ---------------- var author_1 = new Array(); author_1[0] = new Array('1', 'O\'Reilly'); Actual result: -------------- var author_1 = new Array(); author_1[0] = new Array('1', 'O'Reilly'); // breaks JS!! I suggest the following fix: line 155 of HTML/Quickform/hierselect.php: replace: $this->_js .= $varName."[".$i."] = new Array('".$value."', '".$text."');\n"; by: $this->_js .= $varName."[".$i."] = new Array('".$value."', '".addslashes( $text )."');\n";


 [2003-12-02 19:53 UTC] avb
I think the standard approach used in QuickForm JS generation should do the trick here...
 [2003-12-18 14:25 UTC] mansion at php dot net
This bug has been fixed in CVS. In case this was a documentation problem, the fix will show up at the end of next Sunday (CET) on In case this was a website problem, the change will show up on the website in short time. Thank you for the report, and for helping us make PEAR better.
 [2005-01-02 19:57 UTC] support at infinity dot com dot ua
I have a similar problem, tested on rev. 1.12 of hierselect.php. I can't use double quotes (") in options names below the first level deep, because I'm getting javascript error and hierselect fails to work. Reproduce code: --------------- require_once 'HTML/QuickForm.php'; $form = new HTML_QuickForm('bugForm'); $select1[0] = 'foo'; $select2[0][0] = '"bar"'; $sel =& $form->addElement('hierselect', 'bug', 'Bug:'); $sel->setOptions(array($select1, $select2)); $form->display(); Expected result: ---------------- hs_bug_0 = { "0":"\"bar\"" } Actual result: -------------- hs_bug_0 = { "0":""bar"" } Possible solution: ------------------ On line 336 of file hierselect.php: $js .= '"'.$optValue.'":"'.$options.'"'; do some "addslashing" of $options: $js .= '"'.$optValue.'":"'.addslashes($options).'"';