• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed &_v of included js files should be escaped

rellect

Well-known member
#1
I noticed &_v= in js files url is not escaped as &, found that while running html validation tests

XenForo_Template_Abstract, Line #477
PHP:
$file = $file . (strpos($file, '?') ? '&' : '?') . '_v=' . XenForo_Application::$jsVersion;
Should be
PHP:
$file = $file . (strpos($file, '?') ? '&' : '?') . '_v=' . XenForo_Application::$jsVersion;
 

Mike

XenForo developer
Staff member
#2
As written, this is as designed -- that function doesn't return HTML, it just returns a path/URL. It also returns values for JSON output as well, which explicitly shouldn't be escaped. The escaping will need to be done in
getRequiredJavaScriptAsHtml(), but I need to verify whether uses of the require tag in the template are already HTML escaped themselves.