Fixed &_v of included js files should be escaped

refael · Nov 12, 2014

I noticed &_v= in js files url is not escaped as &, found that while running html validation tests

XenForo_Template_Abstract, Line #477

PHP:

$file = $file . (strpos($file, '?') ? '&' : '?') . '_v=' . XenForo_Application::$jsVersion;

Should be

PHP:

$file = $file . (strpos($file, '?') ? '&amp;' : '?') . '_v=' . XenForo_Application::$jsVersion;

Mike · Nov 14, 2014

As written, this is as designed -- that function doesn't return HTML, it just returns a path/URL. It also returns values for JSON output as well, which explicitly shouldn't be escaped. The escaping will need to be done in
getRequiredJavaScriptAsHtml(), but I need to verify whether uses of the require tag in the template are already HTML escaped themselves.

Mike · Nov 14, 2014

The escaping just needs to happen in getRequiredJavaScriptAsHtml, so I've done that now.

Fixed &_v of included js files should be escaped

refael

Well-known member

Mike

XenForo developer

Mike

XenForo developer

We value your privacy