Enh yiisoft#551: Added $safe parameter to CJavaScript::encode. If set…

… to true, 'js:' will not be allowed

CHANGELOG

@@ -60,6 +60,7 @@ Version 1.1.11 work in progress
 - Enh #369: Added $hashKey to CCache (kidol)
 - Enh #414: Added sort parameter to yiic message command that sorts messages by key when merging (ranvis)
 - Enh #455: Added support for default value in CConsoleCommand::prompt (eagleoneraptor)
+- Enh #551: Added $safe parameter to CJavaScript::encode. If set to true, 'js:' will not be allowed (samdark)
 - Enh #552: Added support for http-level caching via CHttpCacheFilter (DaSourcerer)
 - Enh #568: CHtml::getIdByName() will now convert spaces to underscore to get proper ID for HTML elements (mdomba)
 - Enh #578: Added extension checks to CMemCache (samdark)

framework/web/helpers/CJavaScript.php

@@ -48,14 +48,18 @@ public static function quote($js,$forUrl=false)
 	 * For highly complex data structures use {@link jsonEncode} and {@link jsonDecode}
 	 * to serialize and unserialize.
 	 *
+	 * If you are encoding user input, make sure $safe is set to true.
+	 *
 	 * @param mixed $value PHP variable to be encoded
+	 * @param boolean $safe If true, 'js:' will not be allowed.
+	 * Default is false. This parameter is available since 1.1.11.
 	 * @return string the encoded string
 	 */
-	public static function encode($value)
+	public static function encode($value,$safe=false)
 	{
 		if(is_string($value))
 		{
-			if(strpos($value,'js:')===0)
+			if(strpos($value,'js:')===0 && $safe===false)
 				return substr($value,3);
 			else
 				return "'".self::quote($value)."'";