Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed potential vulnerability in CJavaScript::encode(): $safe paramet…

…er didn't used to be passed to the recursive method calls.
  • Loading branch information...
commit 4b3ea3c039e0eb68f09cd291abb3022a40272695 1 parent dcb7524
@resurtm resurtm authored
Showing with 4 additions and 3 deletions.
  1. +1 −0  CHANGELOG
  2. +3 −3 framework/web/helpers/CJavaScript.php
View
1  CHANGELOG
@@ -25,6 +25,7 @@ Version 1.1.13 work in progress
- Bug #1444: Fixed CGoogleApi::register call to registerScriptFile (mdomba)
- Bug #1465: Fixed CHtml::beginForm() when CActiveForm with method GET and ajaxButton is used (mdomba)
- Bug #1485 CSort does not quote table alias when using CDbCriteria (undsoft)
+- Bug: Fixed potential vulnerability in CJavaScript::encode(): $safe parameter didn't used to be passed to the recursive method calls (resurtm)
- Enh #104: Added CWebLogRoute::$collapsedInFireBug property to control whether the log should be collapsed by default in Firebug (marcovtwout)
- Enh #84: Log route categories are now accepted in form of array. Added CLogRoute::except and parameter to CLogRoute::getLogs that allows you to exclude specific categories (paystey)
- Enh #117: Added CPhpMessageSource::$extensionPaths to allow extensions, that do not have a base class to use as category prefix, to register message source (rcoelho, cebe)
View
6 framework/web/helpers/CJavaScript.php
@@ -83,20 +83,20 @@ public static function encode($value,$safe=false)
elseif($value instanceof CJavaScriptExpression)
return $value->__toString();
elseif(is_object($value))
- return self::encode(get_object_vars($value));
+ return self::encode(get_object_vars($value),$safe);
elseif(is_array($value))
{
$es=array();
if(($n=count($value))>0 && array_keys($value)!==range(0,$n-1))
{
foreach($value as $k=>$v)
- $es[]="'".self::quote($k)."':".self::encode($v);
+ $es[]="'".self::quote($k)."':".self::encode($v,$safe);
return '{'.implode(',',$es).'}';
}
else
{
foreach($value as $v)
- $es[]=self::encode($v);
+ $es[]=self::encode($v,$safe);
return '['.implode(',',$es).']';
}
}
Please sign in to comment.
Something went wrong with that request. Please try again.