ZF-4175: Zend_View_Helper_HtmlElement *should* escape javascript events (on*)

Issue Type: Bug Created: 2008-09-03T08:41:10.000+0000 Last Updated: 2011-08-13T22:12:10.000+0000 Status: Open Fix version(s): Reporter: Tianon Gravi (admwiggin) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_View

  • zf-crteam-padraic
  • zf-crteam-priority

Related issues: Attachments:


I downloaded the latest ZF (1.6.0), and noticed the following in my search to fix a little piece of broken code: on Zend/View/Helper/HtmlElement.php: r20458@zlaptop: matthew | 2008-07-07 09:07:58 -0400 * do not escape javascript on* HTML attributes * JSON-encode non-scalar on* HTML attributes * Fix quotation issues in Slider dijits

What is the purpose of not escaping on* HTML attributes? ```

The functionality breaker comes from double quotes within the attribute (within the javascript code). These cause unexpected behavior when calling formReset or similar with an onclick event containing any amount of semi-complex code.

Is the reason for this change Dojo-related? If so, what purpose does it serve and what is gained by the change?


Posted by Thomas Weidner (thomas) on 2008-09-03T09:36:43.000+0000

Fixed wrong component assignment

Posted by Matthew Weier O'Phinney (matthew) on 2008-09-11T06:20:55.000+0000

Could the reporter of this issue post a real-world use case where escaping in the on* attributes would be useful?

Right now, my colleagues and I cannot think of one. Having it unescaped has many uses, however:

<pre class="highlight">

escaping here would result in invalid javascript.

Another use case where escaping is bad is for JSON-encoded attributes, which a variety of Javascript toolkits utilize; escaping in such a case will result in invalid JSON.

If we support this request, it will be via an optional flag to enable escaping for such event attributes, but currently we cannot see a good reason for it.

Posted by Marc Bennewitz (GIATA mbH) (mben) on 2008-09-11T07:16:06.000+0000

The escaping of javascript in event attributes doesn't create a invalid javascript. But if it is not escaped it can be invalid:

Please test the example: not escaped is invalid:

<pre class="highlight">
escaped is valid:

I don't understand why you encode json if it is a non scalar attribute value. The event attributes are js functions but json doesn't do anything. Example: ``` What is the use of this event function ? Can you give me an example where it is usable ?

Posted by Tianon Gravi (admwiggin) on 2008-09-11T07:33:01.000+0000

Marc answered beautifully. Also, if we view the standard for XHTML 1.0 itself, we find the following: "Attribute values must always be quoted"

This includes onclick, onchange, etc. Just try running Marc's example, and then try validating both ways. You'll understand.

I too am also curious as to how JSON-encoded on* values are useful.

Posted by TNF ICT Dept (tnfict) on 2008-10-13T04:14:50.000+0000

Recent changes in ZF (starting at 1.6.0) broke backward compatibility for us in the formButton implementation.

Where we had the following code: formButton('bMailAttendants', $this->getTranslation('mail\_attendants'), array('class' => 'buttonDefault', 'onclick' => 'mailAttendants(this,"'.$this->controllerName.'")')); ?>

we had to change this to: formButton('bMailAttendants', $this->getTranslation('mail\_attendants'), array('class' => 'buttonDefault', 'onclick' => 'mailAttendants(this,\\''.$this->controllerName.'\\')')); ?>

to work around the escaping code in Zend_View_Helper_HtmlElement::_htmlAttribs()

I submitted this as a separate bug, ZF-4313, because at the time, I couldn't comment on issues. Please feel free to mark ZF-4313 as a duplicate of this bug.

Posted by old of Satoru Yoshida ( on 2008-11-08T18:28:39.000+0000

The problem that TNF ICT Dept commented is solved in ZF-4333 and ZF-4313.

But in this comment, I do not mean this issue is fixed.

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.