ZF-4175: Zend_View_Helper_HtmlElement *should* escape javascript events (on*)
Description
I downloaded the latest ZF (1.6.0), and noticed the following in my search to fix a little piece of broken code: on Zend/View/Helper/HtmlElement.php: r20458@zlaptop: matthew | 2008-07-07 09:07:58 -0400 * do not escape javascript on* HTML attributes * JSON-encode non-scalar on* HTML attributes * Fix quotation issues in Slider dijits
What is the purpose of not escaping on* HTML attributes? ```
The functionality breaker comes from double quotes within the attribute (within the javascript code). These cause unexpected behavior when calling formReset or similar with an onclick event containing any amount of semi-complex code.
Is the reason for this change Dojo-related? If so, what purpose does it serve and what is gained by the change?
Comments
Posted by Thomas Weidner (thomas) on 2008-09-03T09:36:43.000+0000
Fixed wrong component assignment
Posted by Matthew Weier O'Phinney (matthew) on 2008-09-11T06:20:55.000+0000
Could the reporter of this issue post a real-world use case where escaping in the on* attributes would be useful?
Right now, my colleagues and I cannot think of one. Having it unescaped has many uses, however:
escaping here would result in invalid javascript.
Another use case where escaping is bad is for JSON-encoded attributes, which a variety of Javascript toolkits utilize; escaping in such a case will result in invalid JSON.
If we support this request, it will be via an optional flag to enable escaping for such event attributes, but currently we cannot see a good reason for it.
Posted by Marc Bennewitz (GIATA mbH) (mben) on 2008-09-11T07:16:06.000+0000
The escaping of javascript in event attributes doesn't create a invalid javascript. But if it is not escaped it can be invalid:
Please test the example: not escaped is invalid:
I don't understand why you encode json if it is a non scalar attribute value. The event attributes are js functions but json doesn't do anything. Example: ``` What is the use of this event function ? Can you give me an example where it is usable ?
Posted by Tianon Gravi (admwiggin) on 2008-09-11T07:33:01.000+0000
Marc answered beautifully. Also, if we view the standard for XHTML 1.0 itself, we find the following: http://www.w3.org/TR/xhtml1/#h-4.4 "Attribute values must always be quoted"
This includes onclick, onchange, etc. Just try running Marc's example, and then try validating both ways. You'll understand.
I too am also curious as to how JSON-encoded on* values are useful.
Posted by TNF ICT Dept (tnfict) on 2008-10-13T04:14:50.000+0000
Recent changes in ZF (starting at 1.6.0) broke backward compatibility for us in the formButton implementation.
Where we had the following code: <?php echo $this->formButton('bMailAttendants', $this->getTranslation('mail_attendants'), array('class' => 'buttonDefault', 'onclick' => 'mailAttendants(this,"'.$this->controllerName.'")')); ?>
we had to change this to: <?php echo $this->formButton('bMailAttendants', $this->getTranslation('mail_attendants'), array('class' => 'buttonDefault', 'onclick' => 'mailAttendants(this,\''.$this->controllerName.'\')')); ?>
to work around the escaping code in Zend_View_Helper_HtmlElement::_htmlAttribs()
I submitted this as a separate bug, ZF-4313, because at the time, I couldn't comment on issues. Please feel free to mark ZF-4313 as a duplicate of this bug.
Posted by old of Satoru Yoshida (yoshida@zend.co.jp) on 2008-11-08T18:28:39.000+0000
The problem that TNF ICT Dept commented is solved in ZF-4333 and ZF-4313.
But in this comment, I do not mean this issue is fixed.