ZF-4175: Zend_View_Helper_HtmlElement *should* escape javascript events (on*)

Description

I downloaded the latest ZF (1.6.0), and noticed the following in my search to fix a little piece of broken code: on Zend/View/Helper/HtmlElement.php: r20458@zlaptop: matthew | 2008-07-07 09:07:58 -0400 * do not escape javascript on* HTML attributes * JSON-encode non-scalar on* HTML attributes * Fix quotation issues in Slider dijits

What is the purpose of not escaping on* HTML attributes? ```

The functionality breaker comes from double quotes within the attribute (within the javascript code). These cause unexpected behavior when calling formReset or similar with an onclick event containing any amount of semi-complex code.

Is the reason for this change Dojo-related? If so, what purpose does it serve and what is gained by the change?

Comments

Fixed wrong component assignment

Could the reporter of this issue post a real-world use case where escaping in the on* attributes would be useful?

Right now, my colleagues and I cannot think of one. Having it unescaped has many uses, however:


escaping here would result in invalid javascript.

Another use case where escaping is bad is for JSON-encoded attributes, which a variety of Javascript toolkits utilize; escaping in such a case will result in invalid JSON.

If we support this request, it will be via an optional flag to enable escaping for such event attributes, but currently we cannot see a good reason for it.

The escaping of javascript in event attributes doesn't create a invalid javascript. But if it is not escaped it can be invalid:

Please test the example: not escaped is invalid:


escaped is valid:

I don't understand why you encode json if it is a non scalar attribute value. The event attributes are js functions but json doesn't do anything. Example: ``` What is the use of this event function ? Can you give me an example where it is usable ?

Marc answered beautifully. Also, if we view the standard for XHTML 1.0 itself, we find the following: http://www.w3.org/TR/xhtml1/#h-4.4 "Attribute values must always be quoted"

This includes onclick, onchange, etc. Just try running Marc's example, and then try validating both ways. You'll understand.

I too am also curious as to how JSON-encoded on* values are useful.

Recent changes in ZF (starting at 1.6.0) broke backward compatibility for us in the formButton implementation.

Where we had the following code: <?php echo $this->formButton('bMailAttendants', $this->getTranslation('mail_attendants'), array('class' => 'buttonDefault', 'onclick' => 'mailAttendants(this,"'.$this->controllerName.'")')); ?>

we had to change this to: <?php echo $this->formButton('bMailAttendants', $this->getTranslation('mail_attendants'), array('class' => 'buttonDefault', 'onclick' => 'mailAttendants(this,\''.$this->controllerName.'\')')); ?>

to work around the escaping code in Zend_View_Helper_HtmlElement::_htmlAttribs()

I submitted this as a separate bug, ZF-4313, because at the time, I couldn't comment on issues. Please feel free to mark ZF-4313 as a duplicate of this bug.

The problem that TNF ICT Dept commented is solved in ZF-4333 and ZF-4313.

But in this comment, I do not mean this issue is fixed.