Browse files

Fixed potential vulnerability in CJavaScript::encode(): $safe paramet…

…er didn't used to be passed to the recursive method calls.
  • Loading branch information...
1 parent dcb7524 commit 4b3ea3c039e0eb68f09cd291abb3022a40272695 @resurtm committed Oct 9, 2012
Showing with 4 additions and 3 deletions.
  1. +1 −0 CHANGELOG
  2. +3 −3 framework/web/helpers/CJavaScript.php
@@ -25,6 +25,7 @@ Version 1.1.13 work in progress
- Bug #1444: Fixed CGoogleApi::register call to registerScriptFile (mdomba)
- Bug #1465: Fixed CHtml::beginForm() when CActiveForm with method GET and ajaxButton is used (mdomba)
- Bug #1485 CSort does not quote table alias when using CDbCriteria (undsoft)
+- Bug: Fixed potential vulnerability in CJavaScript::encode(): $safe parameter didn't used to be passed to the recursive method calls (resurtm)
- Enh #104: Added CWebLogRoute::$collapsedInFireBug property to control whether the log should be collapsed by default in Firebug (marcovtwout)
- Enh #84: Log route categories are now accepted in form of array. Added CLogRoute::except and parameter to CLogRoute::getLogs that allows you to exclude specific categories (paystey)
- Enh #117: Added CPhpMessageSource::$extensionPaths to allow extensions, that do not have a base class to use as category prefix, to register message source (rcoelho, cebe)
6 framework/web/helpers/CJavaScript.php
@@ -83,20 +83,20 @@ public static function encode($value,$safe=false)
elseif($value instanceof CJavaScriptExpression)
return $value->__toString();
- return self::encode(get_object_vars($value));
+ return self::encode(get_object_vars($value),$safe);
if(($n=count($value))>0 && array_keys($value)!==range(0,$n-1))
foreach($value as $k=>$v)
- $es[]="'".self::quote($k)."':".self::encode($v);
+ $es[]="'".self::quote($k)."':".self::encode($v,$safe);
return '{'.implode(',',$es).'}';
foreach($value as $v)
- $es[]=self::encode($v);
+ $es[]=self::encode($v,$safe);
return '['.implode(',',$es).']';

0 comments on commit 4b3ea3c

Please sign in to comment.