Commit 27a6767a authored by Leigh B Stoller's avatar Leigh B Stoller

Some quick fixes for how we encode the extension text into JSON; there was

an interaction between htmlentities and json_encode. I got rid of the
former and added options to json_encode, but that is not safe, so need to
make sure we use jquery .text() and underscore template <%- when displaying
that text.
parent 30afbb02
...@@ -120,7 +120,7 @@ if (count($extensions)) { ...@@ -120,7 +120,7 @@ if (count($extensions)) {
$foo[$extension->idx()] = $extension->info; $foo[$extension->idx()] = $extension->info;
} }
echo "<script type='text/plain' id='extensions-json'>\n"; echo "<script type='text/plain' id='extensions-json'>\n";
echo json_encode($foo); echo json_encode($foo, JSON_HEX_APOS|JSON_HEX_QUOT|JSON_HEX_TAG|JSON_HEX_TAG);
echo "</script>\n"; echo "</script>\n";
} }
SPITFOOTER(); SPITFOOTER();
......
...@@ -836,8 +836,8 @@ class ExtensionInfo ...@@ -836,8 +836,8 @@ class ExtensionInfo
return; return;
} }
$this->info = mysql_fetch_assoc($query_result); $this->info = mysql_fetch_assoc($query_result);
$this->info["reason"] = trim(CleanString($this->info["reason"])); $this->info["reason"] = trim($this->info["reason"]);
$this->info["message"] = trim(CleanString($this->info["message"])); $this->info["message"] = trim($this->info["message"]);
} }
# accessors # accessors
function field($name) { function field($name) {
......
...@@ -282,12 +282,9 @@ if (count($extensions)) { ...@@ -282,12 +282,9 @@ if (count($extensions)) {
$foo[$extension->idx()] = $extension->info; $foo[$extension->idx()] = $extension->info;
} }
echo "<script type='text/plain' id='extensions-json'>\n"; echo "<script type='text/plain' id='extensions-json'>\n";
echo json_encode($foo); echo json_encode($foo, JSON_HEX_APOS|JSON_HEX_QUOT|JSON_HEX_TAG|JSON_HEX_TAG);
echo "</script>\n"; echo "</script>\n";
} }
if ($extension_history != "") {
echo "<pre class='hidden' id='extension_history'>$extension_history</pre>\n";
}
if ($extension_denied_reason != "") { if ($extension_denied_reason != "") {
echo "<pre class='hidden' id='extension_denied_reason'>$extension_denied_reason</pre>\n"; echo "<pre class='hidden' id='extension_denied_reason'>$extension_denied_reason</pre>\n";
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment