Roxen.git/ server/ etc/ modules/ Roxen.pmod

2011-07-05

2011-07-05 21:41:18 by Martin Stjernholm <mast@lysator.liu.se>

• 0dc2ae2205c00fa5fe80078c69e61a847d685196 (25 lines) (+22/-3) ^{[ Show | Annotate ]}
  Branch: 5.2

Extended the "js" quoting for safe use inside <script> elements.

Rev: server/etc/modules/Roxen.pmod:1.309

1:   // This is a roxen pike module. Copyright © 1999 - 2009, Roxen IS.   // - // $Id: Roxen.pmod,v 1.308 2011/02/28 13:58:33 grubba Exp $ + // $Id: Roxen.pmod,v 1.309 2011/07/05 21:41:18 mast Exp $      #include <roxen.h>   #include <config.h>
2839:    case "js":    case "javascript":    return replace (val, -  ({ "\b", "\014", "\n", "\r", "\t", "\\", "'", "\"" }), +  ({ "\b", "\014", "\n", "\r", "\t", "\\", +  "'", "\"", +  "</", "<!--"}),    ({ "\\b", "\\f", "\\n", "\\r", "\\t", "\\\\", -  "\\'", "\\\"" })); +  "\\'", "\\\"", +  "<\\/", "<\\!--" }));       case "mysql":    // Note: Quotes the single-quote (') in traditional sql-style,
2979:   //! Javascript string quoting, i.e. using backslash escapes for   //! @expr{"@}, @expr{\@}, and more.   //! + //! For safe use inside @tt{<script>@} elements, it quotes some + //! additional character sequences: + //! + //! @ul + //! @item + //! @tt{</@} is quoted as @tt{<\/@} according to appendix B.3.2 + //! in the HTML 4.01 spec. + //! @item + //! @tt{<!--@} is quoted as @tt{<\!--@} according to 4.3.1.2 in + //! the HTML 5 spec. + //! @endul + //! + //! Both are harmless in Javascript string literals in other + //! contexts. + //!   //! @value "mysql"   //! MySQL quoting. This also means backslash escapes, except the   //! @expr{'@} character which is quoted in SQL style as