-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modal titles should be escaped properly #7845
Modal titles should be escaped properly #7845
Conversation
@@ -191,7 +191,7 @@ | |||
'bootstrap.renderModal', | |||
'collapseModal', | |||
array( | |||
'title' => JText::_('COM_BANNERS_BATCH_OPTIONS'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dgt41 Can't we just use this here:
JText::_('COM_BANNERS_BATCH_OPTIONS', true),
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, did that!
|
Found a not-so-elegant solution in the layout... |
That looks wrong. There must be a better way. |
I hope so... that's why I wrote a "not-so-elegant" solution... |
just curious, what wrong with |
that would work indeed |
@dgt41 |
Hi, some further infos here, the problem comes from this line: |
One tester more to get this merged |
Instead of using a custom preg_replace, please use the native function |
@Bakual |
@Bakual @infograf768 done! |
OK here! |
All looking OK here. Setting to RTC as we have 2 successful tests. This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7845. |
Modal titles should be escaped properly
I think @Fedik 's suggestion is the prefered way to encode HTML Tag parameters: which will
i mean it is used inside Joomla and extensions code extensively to encode HTML Tag parameters, why this is an exception ? |
@ggppdk Georgeif you think that the current merged solution is inadequate please do a new pr! |
i am not sure )) that is why my post was a question i noted that in other places we are escaping the value of an HTML tag parameters in different way |
The thing here is that the string has to be escaped for JavaScript not for html, so I'm not sure if your suggestion will work. Currently I'm not at my desk so I cannot test it.... |
addslashes will work for javascript |
The only issue was the single quote which needs to be escaped for JS. Otherwise JS thinks the string ends and the code is broken. So your suggestion would not work. |
but then i see that HTML created by the ...\modal.php
SORRY i missed that !, so yes you are right, (as i said i am often wrong)
just a note, i think it would be best that HTML creation in template is more consistent
@dgt41 i wish i could contribute just i am involved in with 2 web softwares with too large code base a reason for the comment, is that i remember my modals sometimes being broken (i don't remember why), and i ended up replacing them with jQuery modals |
This should take care titles that contain quotes
Test
Make sure that nothing breaks