[#30058] Quotes are not escaped in popup-manager.js

This pull request adds new method htmlEntities to ImageManager class. This method is used to replace quotes and brackets in alt and title attributes of images, that are inserted with com_media>images modal. Link to tracker record: http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=30058
joomla · Feb 15, 2013 · a87c619 · a87c619
1 parent 6044ca9
commit a87c619
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/media/media/js/popup-imagemanager.js b/media/media/js/popup-imagemanager.js
@@ -98,19 +98,19 @@ var ImageManager = this.ImageManager = {
 		if (url != '') {
 			// Set alt attribute
 			if (alt != '') {
-				extra = extra + 'alt="'+alt+'" ';
+				extra = extra + 'alt="' + this.htmlEntities(alt) + '" ';
 			} else {
 				extra = extra + 'alt="" ';
 			}
 			// Set align attribute
 			if (align != '') {
 				extra = extra + 'align="'+align+'" ';
 			}
-			// Set align attribute
+			// Set title attribute
 			if (title != '') {
-				extra = extra + 'title="'+title+'" ';
+				extra = extra + 'title="' + this.htmlEntities(title) + '" ';
 			}
-			// Set align attribute
+			// Set caption class
 			if (caption != '') {
 				extra = extra + 'class="caption" ';
 			}
@@ -214,7 +214,11 @@ var ImageManager = this.ImageManager = {
 	{
 		this._setFrameUrl();
 	},
-
+
+	htmlEntities: function (str) {
+		return String(str).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+	},
+
 	_setFrameUrl: function(url)
 	{
 		if (url != null) {