chore: replace htmlspecialchars with escaping functions for recent commit #7146
Conversation
| @@ -50,12 +50,12 @@ | |||
| sqlStatement("INSERT INTO template_users (tu_user_id,tu_template_id) VALUES (?,?)", array($_SESSION['authUserID'], $newid)); | |||
| } | |||
| echo "<select name='template' id='template' onchange='TemplateSentence(this.value)' style='width:180px'>"; | |||
| echo "<option value=''>" . htmlspecialchars(xl('Select category'), ENT_QUOTES) . "</option>"; | |||
| echo "<option value=''>" . xlt('Select category') . "</option>"; | |||
There was a problem hiding this comment.
needs to be xla() option value is an attribute.
There was a problem hiding this comment.
Thanks! I was too lazy to do this script!:)
There was a problem hiding this comment.
lol, look at me Brady, I'm catching escaping missteps.
| echo "<input type='button' name='update' onclick=update_item('" . $row['cl_list_slno'] . "') value='" . htmlspecialchars(xl('Update'), ENT_QUOTES) . "'><input type='button' name='cancel' value='" . htmlspecialchars(xl('Cancel'), ENT_QUOTES) . "' onclick=cancel_item('" . htmlspecialchars($row['cl_list_slno'], ENT_QUOTES) . "')></div>"; | ||
| echo "<img src='" . $GLOBALS['images_static_relative'] . "/deleteBtn.png' onclick=\"delete_item(" . attr_js($row['cl_list_slno']) . ")>"; | ||
| echo "<div id='update_item" . attr($row['cl_list_slno']) . "' style='display:none'><textarea name='update_item_txt" . attr($row['cl_list_slno']) . "' id='update_item_txt" . attr($row['cl_list_slno']) . "' class='w-100'>" . text($row['cl_list_item_long']) . "</textarea><br />"; | ||
| echo "<input type='button' name='update' onclick=update_item(" . attr_js($row['cl_list_slno']) . ") value='" . xla('Update') . "'><input type='button' name='cancel' value='" . xla('Cancel') . "' onclick=cancel_item(" . attr_js($row['cl_list_slno']) . ")></div>"; |
There was a problem hiding this comment.
Does attr_js provide quotes? I'd inspect this in browser to ensure.
I believe it should be: onclick=cancel_item('" . attr_js($row['cl_list_slno']) . "')
There was a problem hiding this comment.
hi, it provides quotes (the json_encode part of the function), which then get html escaped (the attr part of the function) :)
There was a problem hiding this comment.
@bradymiller I'm not so sure Brady. The single quote is part of the html syntax. any quote provided by function is part of inserted value i.e a string. I've run into this issue on occasions in the past. While the browser may let you get away with it it prob throws syntax warning. I checked this out in browser by inspection so while works either way in most occasions is it following correct html syntax.
It is interesting though. Does the browser intercede?
There was a problem hiding this comment.
@sjpadgett , haven't seen any issues in rest of codebase where the ' is not included. Any use cases where this is breaking or throwing a syntax error?
| @@ -50,12 +50,12 @@ | |||
| sqlStatement("INSERT INTO template_users (tu_user_id,tu_template_id) VALUES (?,?)", array($_SESSION['authUserID'], $newid)); | |||
| } | |||
| echo "<select name='template' id='template' onchange='TemplateSentence(this.value)' style='width:180px'>"; | |||
| echo "<option value=''>" . htmlspecialchars(xl('Select category'), ENT_QUOTES) . "</option>"; | |||
| echo "<option value=''>" . xla('Select category') . "</option>"; | |||
There was a problem hiding this comment.
xlt() since is not an html attribute (the value attribute is blank)
|
Nice to see!
|
…mmit (openemr#7146) * chore: replace htmlspecialchars with escaping functions * fix ups * fix: mpdf fatal error * Jerry's catch * Brady's catch * revert for own issue/per (cherry picked from commit eb0d7f2)
Fixes #
Short description of what this resolves:
Changes proposed in this pull request: