-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: replace htmlspecialchars with escaping functions for recent commit #7146
Conversation
@@ -50,12 +50,12 @@ | |||
sqlStatement("INSERT INTO template_users (tu_user_id,tu_template_id) VALUES (?,?)", array($_SESSION['authUserID'], $newid)); | |||
} | |||
echo "<select name='template' id='template' onchange='TemplateSentence(this.value)' style='width:180px'>"; | |||
echo "<option value=''>" . htmlspecialchars(xl('Select category'), ENT_QUOTES) . "</option>"; | |||
echo "<option value=''>" . xlt('Select category') . "</option>"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
needs to be xla() option value is an attribute.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I was too lazy to do this script!:)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lol, look at me Brady, I'm catching escaping missteps.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
echo "<input type='button' name='update' onclick=update_item('" . $row['cl_list_slno'] . "') value='" . htmlspecialchars(xl('Update'), ENT_QUOTES) . "'><input type='button' name='cancel' value='" . htmlspecialchars(xl('Cancel'), ENT_QUOTES) . "' onclick=cancel_item('" . htmlspecialchars($row['cl_list_slno'], ENT_QUOTES) . "')></div>"; | ||
echo "<img src='" . $GLOBALS['images_static_relative'] . "/deleteBtn.png' onclick=\"delete_item(" . attr_js($row['cl_list_slno']) . ")>"; | ||
echo "<div id='update_item" . attr($row['cl_list_slno']) . "' style='display:none'><textarea name='update_item_txt" . attr($row['cl_list_slno']) . "' id='update_item_txt" . attr($row['cl_list_slno']) . "' class='w-100'>" . text($row['cl_list_item_long']) . "</textarea><br />"; | ||
echo "<input type='button' name='update' onclick=update_item(" . attr_js($row['cl_list_slno']) . ") value='" . xla('Update') . "'><input type='button' name='cancel' value='" . xla('Cancel') . "' onclick=cancel_item(" . attr_js($row['cl_list_slno']) . ")></div>"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does attr_js provide quotes? I'd inspect this in browser to ensure.
I believe it should be: onclick=cancel_item('" . attr_js($row['cl_list_slno']) . "')
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi, it provides quotes (the json_encode part of the function), which then get html escaped (the attr part of the function) :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bradymiller I'm not so sure Brady. The single quote is part of the html syntax. any quote provided by function is part of inserted value i.e a string. I've run into this issue on occasions in the past. While the browser may let you get away with it it prob throws syntax warning. I checked this out in browser by inspection so while works either way in most occasions is it following correct html syntax.
It is interesting though. Does the browser intercede?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sjpadgett , haven't seen any issues in rest of codebase where the '
is not included. Any use cases where this is breaking or throwing a syntax error?
@@ -50,12 +50,12 @@ | |||
sqlStatement("INSERT INTO template_users (tu_user_id,tu_template_id) VALUES (?,?)", array($_SESSION['authUserID'], $newid)); | |||
} | |||
echo "<select name='template' id='template' onchange='TemplateSentence(this.value)' style='width:180px'>"; | |||
echo "<option value=''>" . htmlspecialchars(xl('Select category'), ENT_QUOTES) . "</option>"; | |||
echo "<option value=''>" . xla('Select category') . "</option>"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
xlt() since is not an html attribute (the value attribute is blank)
…mmit (openemr#7146) * chore: replace htmlspecialchars with escaping functions * fix ups * fix: mpdf fatal error * Jerry's catch * Brady's catch * revert for own issue/per (cherry picked from commit eb0d7f2)
Fixes #
Short description of what this resolves:
Changes proposed in this pull request: