Fixed &_v of included js files should be escaped

[refael]

I noticed &_v= in js files url is not escaped as &, found that while running html validation tests

XenForo_Template_Abstract, Line #477

$file = $file . (strpos($file, '?') ? '&' : '?') . '_v=' . XenForo_Application::$jsVersion;

Should be

$file = $file . (strpos($file, '?') ? '&' : '?') . '_v=' . XenForo_Application::$jsVersion;

 

[Mike]

As written, this is as designed -- that function doesn't return HTML, it just returns a path/URL. It also returns values for JSON output as well, which explicitly shouldn't be escaped. The escaping will need to be done in
getRequiredJavaScriptAsHtml(), but I need to verify whether uses of the require tag in the template are already HTML escaped themselves.

 

[Mike]

The escaping just needs to happen in getRequiredJavaScriptAsHtml, so I've done that now.