1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed &_v of included js files should be escaped

Discussion in 'Resolved Bug Reports' started by rellect, Nov 12, 2014.

  1. rellect

    rellect Well-Known Member

    I noticed &_v= in js files url is not escaped as &, found that while running html validation tests

    XenForo_Template_Abstract, Line #477
    PHP:
    $file $file . (strpos($file'?') ? '&' '?') . '_v=' XenForo_Application::$jsVersion;
    Should be
    PHP:
    $file $file . (strpos($file'?') ? '&' '?') . '_v=' XenForo_Application::$jsVersion;
     
  2. Mike

    Mike XenForo Developer Staff Member

    As written, this is as designed -- that function doesn't return HTML, it just returns a path/URL. It also returns values for JSON output as well, which explicitly shouldn't be escaped. The escaping will need to be done in
    getRequiredJavaScriptAsHtml(), but I need to verify whether uses of the require tag in the template are already HTML escaped themselves.
     
  3. Mike

    Mike XenForo Developer Staff Member

    The escaping just needs to happen in getRequiredJavaScriptAsHtml, so I've done that now.
     
    rellect likes this.

Share This Page