Issue Type: Bug Created: 2008-09-03T08:41:10.000+0000 Last Updated: 2011-08-13T22:12:10.000+0000 Status: Open Fix version(s): Reporter: Tianon Gravi (admwiggin) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_View
Related issues: Attachments:
What is the purpose of not escaping on* HTML attributes? ```
Is the reason for this change Dojo-related? If so, what purpose does it serve and what is gained by the change?
Posted by Thomas Weidner (thomas) on 2008-09-03T09:36:43.000+0000
Fixed wrong component assignment
Posted by Matthew Weier O'Phinney (matthew) on 2008-09-11T06:20:55.000+0000
Could the reporter of this issue post a real-world use case where escaping in the on* attributes would be useful?
Right now, my colleagues and I cannot think of one. Having it unescaped has many uses, however:
If we support this request, it will be via an optional flag to enable escaping for such event attributes, but currently we cannot see a good reason for it.
Posted by Marc Bennewitz (GIATA mbH) (mben) on 2008-09-11T07:16:06.000+0000
Please test the example: not escaped is invalid:
<pre class="highlight"> escaped is valid:
I don't understand why you encode json if it is a non scalar attribute value. The event attributes are js functions but json doesn't do anything. Example: ``` What is the use of this event function ? Can you give me an example where it is usable ?
Posted by Tianon Gravi (admwiggin) on 2008-09-11T07:33:01.000+0000
Marc answered beautifully. Also, if we view the standard for XHTML 1.0 itself, we find the following: http://www.w3.org/TR/xhtml1/#h-4.4 "Attribute values must always be quoted"
This includes onclick, onchange, etc. Just try running Marc's example, and then try validating both ways. You'll understand.
I too am also curious as to how JSON-encoded on* values are useful.
Posted by TNF ICT Dept (tnfict) on 2008-10-13T04:14:50.000+0000
Recent changes in ZF (starting at 1.6.0) broke backward compatibility for us in the formButton implementation.
Where we had the following code: formButton('bMailAttendants', $this->getTranslation('mail\_attendants'), array('class' => 'buttonDefault', 'onclick' => 'mailAttendants(this,"'.$this->controllerName.'")')); ?>
we had to change this to: formButton('bMailAttendants', $this->getTranslation('mail\_attendants'), array('class' => 'buttonDefault', 'onclick' => 'mailAttendants(this,\\''.$this->controllerName.'\\')')); ?>
to work around the escaping code in Zend_View_Helper_HtmlElement::_htmlAttribs()
I submitted this as a separate bug, ZF-4313, because at the time, I couldn't comment on issues. Please feel free to mark ZF-4313 as a duplicate of this bug.
Posted by old of Satoru Yoshida (email@example.com) on 2008-11-08T18:28:39.000+0000
The problem that TNF ICT Dept commented is solved in ZF-4333 and ZF-4313.
But in this comment, I do not mean this issue is fixed.
Have you found an issue?
See the Overview section for more details.