diff --git a/includes/common.inc b/includes/common.inc index 481edae..99bc062 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -4799,14 +4799,14 @@ function drupal_clear_js_cache() { /** * Converts a PHP variable into its JavaScript equivalent. * - * We use HTML-safe strings, i.e. with <, > and & escaped. + * We use HTML-safe strings, with several characters escaped. * * @see drupal_json_decode() * @ingroup php_wrappers */ function drupal_json_encode($var) { - // json_encode() does not escape <, > and &, so we do it with str_replace(). - return str_replace(array('<', '>', '&'), array('\u003c', '\u003e', '\u0026'), json_encode($var)); + // Encode <, >, ', &, and " using the json_encode() options parameter. + return json_encode($var, JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT); } /** diff --git a/modules/simpletest/tests/common.test b/modules/simpletest/tests/common.test index 177e457..ccd3e34 100644 --- a/modules/simpletest/tests/common.test +++ b/modules/simpletest/tests/common.test @@ -2317,8 +2317,10 @@ class DrupalJSONTest extends DrupalUnitTestCase { $str .= chr($i); } // Characters that must be escaped. - $html_unsafe = array('<', '>', '&'); - $html_unsafe_escaped = array('\u003c', '\u003e', '\u0026'); + // We check for unescaped " separately. + $html_unsafe = array('<', '>', '\'', '&'); + // The following are the encoded forms of: < > ' & " + $html_unsafe_escaped = array('\u003C', '\u003E', '\u0027', '\u0026', '\u0022'); // Verify there aren't character encoding problems with the source string. $this->assertIdentical(strlen($str), 128, t('A string with the full ASCII table has the correct length.')); @@ -2330,6 +2332,11 @@ class DrupalJSONTest extends DrupalUnitTestCase { $json = drupal_json_encode($str); $this->assertTrue(strlen($json) > strlen($str), t('A JSON encoded string is larger than the source string.')); + // The first and last characters should be ", and no others. + $this->assertTrue($json[0] == '"', t('A JSON encoded string begins with ".')); + $this->assertTrue($json[strlen($json) - 1] == '"', t('A JSON encoded string ends with ".')); + $this->assertTrue(substr_count($json, '"') == 2, t('A JSON encoded string contains exactly two ".')); + // Verify that encoding/decoding is reversible. $json_decoded = drupal_json_decode($json); $this->assertIdentical($str, $json_decoded, t('Encoding a string to JSON and decoding back results in the original string.')); diff --git a/modules/taxonomy/taxonomy.test b/modules/taxonomy/taxonomy.test index aa7cc2e..597bfc3 100644 --- a/modules/taxonomy/taxonomy.test +++ b/modules/taxonomy/taxonomy.test @@ -627,11 +627,11 @@ class TaxonomyTermTestCase extends TaxonomyWebTestCase { } $this->assertNoText($term1->name, t('The deleted term %name does not appear on the node page.', array('%name' => $term1->name))); - // Test autocomplete on term 2 - it contains a comma, so expect the key to - // be quoted. + // Test autocomplete on term 2, which contains a comma. + // The term will be quoted, and the " will be encoded in unicode (\u0022). $input = substr($term2->name, 0, 3); $this->drupalGet('taxonomy/autocomplete/taxonomy_' . $this->vocabulary->machine_name . '/' . $input); - $this->assertRaw('{"\"' . $term2->name . '\"":"' . $term2->name . '"}', t('Autocomplete returns term %term_name after typing the first 3 letters.', array('%term_name' => $term2->name))); + $this->assertRaw('{"\u0022' . $term2->name . '\u0022":"' . $term2->name . '"}', t('Autocomplete returns term %term_name after typing the first 3 letters.', array('%term_name' => $term2->name))); // Test autocomplete on term 3 - it is alphanumeric only, so no extra // quoting.