Bug #807
[PATCH] Escape HTML for static sidebar admin inputs
| Status : | Closed | Start : | ||
| Priority : | Normal | Due date : | ||
| Assigned to : | pdcawley - | % Done : | 0% |
|
| Category : | sidebars | |||
| Target version : | - | |||
| Resolution : | fixed |
Description
I had been pasting Google adsense code into a Static sidebar, such as:
<script type="text/javascript"><!-- google_ad_client = "pub-6429360491891980"; google_ad_width = 120; google_ad_height = 600; google_ad_format = "120x600_as"; google_ad_type = "text_image"; google_ad_channel =""; google_color_border = "CCCCCC"; google_color_bg = "999999"; google_color_link = "000066"; google_color_text = "333333"; google_color_url = "FFFFFF"; //--></script> <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </s>
But when I would return to edit my sidebars again, I would get
<script type="text/javascript"></script> <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script>
because my browser (Safari) would not populate the textarea with the commented code. Thus, I am escaping the HTML for the textarea.
History
07/09/2006 10:19 AM - Redmine Admin
Also, should the same be done for the TItle? I would assume that it would work best to escape the HTML in the Title textarea also (indeed, any textarea of any sidebar) but then I think we would also want to escape the HTML on the render side as well. Thoughts?
07/09/2006 10:24 AM - Redmine Admin
Oops, the patch as it stands also escapes the text on the render side! Back to the drawing board...
07/09/2006 11:49 AM - Redmine Admin
After quite the runaround, I found out that the problem only occurs when reloading the actives div with ./app/views/admin/sidebar/publish.rjs
I found out that the real problem was that the default text within <textarea> tags is not being escaped as they should be by spec. My new patch fixes the behavior for all sidebar textareas as well as for a stray unnoticed textarea for the iTunes enclosure metadata.