And some more escaping fixed

Signed-off-by: emanuele <emanuele45@gmail.com>
emanuele45 · Aug 13, 2014 · 19f4e83 · 19f4e83
1 parent b168a4a
commit 19f4e83
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 16 deletions.
diff --git a/sources/Load.php b/sources/Load.php
@@ -1630,15 +1630,15 @@ function loadTheme($id_theme = 0, $initialize = true)
 		);
 	// Default JS variables for use in every theme
 	addJavascriptVar(array(
-		'elk_theme_url' => '"' . $settings['theme_url'] . '"',
-		'elk_default_theme_url' => '"' . $settings['default_theme_url'] . '"',
-		'elk_images_url' => '"' . $settings['images_url'] . '"',
-		'elk_smiley_url' => '"' . $modSettings['smileys_url'] . '"',
-		'elk_scripturl' => '"' . $scripturl . '"',
+		'elk_theme_url' => JavaScriptEscape($settings['theme_url']),
+		'elk_default_theme_url' => JavaScriptEscape($settings['default_theme_url']),
+		'elk_images_url' => JavaScriptEscape($settings['images_url']),
+		'elk_smiley_url' => JavaScriptEscape($modSettings['smileys_url']),
+		'elk_scripturl' => JavaScriptEscape($scripturl),
 		'elk_iso_case_folding' => $context['server']['iso_case_folding'] ? 'true' : 'false',
 		'elk_charset' => '"UTF-8"',
-		'elk_session_id' => '"' . $context['session_id'] . '"',
-		'elk_session_var' => '"' . $context['session_var'] . '"',
+		'elk_session_id' => JavaScriptEscape($context['session_id']),
+		'elk_session_var' => JavaScriptEscape($context['session_var']),
 		'elk_member_id' => $context['user']['id'],
 		'ajax_notification_text' => JavaScriptEscape($txt['ajax_in_progress']),
 		'ajax_notification_cancel_text' => JavaScriptEscape($txt['modify_cancel']),

diff --git a/sources/Subs.php b/sources/Subs.php
@@ -2643,7 +2643,7 @@ function setupThemeContext($forceload = false)
 	$context['common_stats']['boardindex_total_posts'] = sprintf($txt['boardindex_total_posts'], $context['common_stats']['total_posts'], $context['common_stats']['total_topics'], $context['common_stats']['total_members']);
 
 	if (empty($settings['theme_version']))
-		addJavascriptVar(array('elk_scripturl' => $scripturl));
+		addJavascriptVar(array('elk_scripturl' => $scripturl), true);
 
 	if (!isset($context['page_title']))
 		$context['page_title'] = '';

diff --git a/sources/admin/ManageThemes.controller.php b/sources/admin/ManageThemes.controller.php
@@ -1643,9 +1643,9 @@ private function _action_edit_submit()
 			elseif ($is_css)
 			{
 				addJavascriptVar(array(
-					'previewData' => '',
-					'previewTimeout' => '',
-					'refreshPreviewCache' => '',
+					'previewData' => '\'\'',
+					'previewTimeout' => '\'\'',
+					'refreshPreviewCache' => '\'\'',
 					'editFilename' => JavaScriptEscape($context['edit_filename']),
 					'theme_id' => $settings['theme_id'],
 				));

diff --git a/sources/subs/Editor.subs.php b/sources/subs/Editor.subs.php
@@ -154,11 +154,11 @@ function create_control_richedit($editorOptions)
 		// JS makes the editor go round
 		loadJavascriptFile(array('jquery.sceditor.min.js', 'jquery.sceditor.bbcode.min.js', 'jquery.sceditor.elkarte.js', 'post.js', 'splittag.plugin.js', 'dropAttachments.js'));
 		addJavascriptVar(array(
-			'post_box_name' => '"' . $editorOptions['id'] . '"',
-			'elk_smileys_url' => '"' . $settings['smileys_url'] . '"',
-			'bbc_quote_from' => '"' . addcslashes($txt['quote_from'], "'") . '"',
-			'bbc_quote' => '"' . addcslashes($txt['quote'], "'") . '"',
-			'bbc_search_on' => '"' . addcslashes($txt['search_on'], "'") . '"')
+			'post_box_name' => $editorOptions['id'],
+			'elk_smileys_url' => $settings['smileys_url'],
+			'bbc_quote_from' => $txt['quote_from'],
+			'bbc_quote' => $txt['quote'],
+			'bbc_search_on' => $txt['search_on']), true
 		);
 
 		// Editor language file