$form['category'] = array(
  '#type' => 'select',
  '#name' => $formname,
  '#id' => $formname,
  '#title' => '',
  '#default_value' => '',
  '#options' => $options,
  '#description' => '',
  '#multiple' => $multiple = FALSE,
  '#required' => $required = FALSE,
  '#attributes' => array('onChange' => "top.location.href=document.getElementById('$formname').options[document.getElementById('$formname').selectedIndex].value"),
);

return -->

 <select name="" onChange="top.location.href=document.getElementById( #039; #039;).options[document.getElementById( &#039; &#039;).selectedIndex].value" class="form-select" id="">

also i try
#attributes' => array('onChange' => "top.location.href=document.getElementById(\'$formname\').options[document.getElementById(\'$formname\').selectedIndex].value")
but nothing

Comments

hasiotis’s picture

hasiotis commented

I don't know it this is a drupal 4.7 only issue but I found that if you change the following on bootstrap.inc:

function check_plain($text) {
  return htmlspecialchars($text, ENT_QUOTES);
}

to

function check_plain($text) {
  return htmlspecialchars($text, ENT_COMPAT);
}

it works. But I don't even know if this is a bug or a feature ;-)

nsyll’s picture

nsyll commented
Priority: Normal » Critical

Its work, but realy what is it ? Bug or a feature

heine’s picture

heine commented
Priority: Critical » Normal

As far as I know, the generated javascript simply works. Is that what you allude to with

Its work, but realy what is it ?

If so it certainly isn't critical.

beginner’s picture

beginner commented

This bug causes that other one: http://drupal.org/node/70742 (Problems with apostrophe in file name)

yched’s picture

yched commented

@beginner : This is in fact a separate issue

beginner’s picture

beginner commented

yched's patch http://drupal.org/node/83297 has been committed to HEAD.
Please test again this issue with HEAD.
(check the mentioned issue to see if it's been backported to 4.7)

yched’s picture

yched commented

The patch http://drupal.org/node/83297 only involved upload.module display, so there's no chance it affected this issue.

'#attributes' do get passed through check_plain, (in function drupal_attributes). This is probably a good thing, but this messes with single quotes, which is problematic for JS code.

It does not seem like we can remove the ENT_QUOTE from check_plain either, There has been an attempt at it (http://drupal.org/node/29103), it even got committed, but Dries rolled it back for security concerns.

I guess adding such JS attributes is much easier now in 5.0 (new drupal_*_js functions, jQuery)
Maybe there"s a workaround here too ?

Steven’s picture

Steven commented
Status: Active » Closed (won't fix)

HTML entities are semantically equivalent to the represented character (in those cases where the literal character has no special meaning). Embedded JavaScript code works just as well whether it is escaped or not.