Quotation marks in description are not encoded when inserted, which leads to premature closing of attributes and insertion of extra attributes.

For example if my description is:
"quotation marks" cause problems

What gets inserted is:
<a cause="" href="filename" quotation="" title="">"quotation marks" cause problems</a>

I have solved the problem locally by editing insert.js to change the line:
var fieldValue = $(settings.fields[fieldName], wrapper).val();
to:
var fieldValue = $(settings.fields[fieldName], wrapper).val().replace(/"/g, '&quot;');

...but I'm not sure if that's a complete or the best solution, or if it might cause problems elsewhere.

CommentFileSizeAuthor
#4 insert_encode.patch715 bytesquicksketch
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

kpaxman’s picture

Further testing has revealed that angle brackets don't get encoded either...well, nothing gets encoded by default but angle brackets are a problem because they look like HTML to browsers.

I updated the replacement line to:

var fieldValue = $(settings.fields[fieldName], wrapper).val()
        .replace(/&/g, '&amp;')
        .replace(/"/g, '&quot;')
        .replace(/'/g, '&#39;')
        .replace(/</g, '&lt;')
        .replace(/>/g, '&gt;');

...which I think gets all the likely problem-causers.

quicksketch’s picture

Thanks for the report @kpaxman! I'm busy with a lot of other projects at the moment so it may be a while before I can review this solution.

kpaxman’s picture

Another update, anyway...the replace shouldn't happen at that point because fieldValue might be empty. it should instead be inside the if statement.

So:

var fieldValue = $(settings.fields[fieldName], wrapper).val();
if (fieldValue) {
  fieldValue = fieldValue
    .replace(/&/g, '&amp;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&#39;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;');

...and then the existing code.

quicksketch’s picture

Status: Active » Fixed
FileSize
715 bytes

Thanks, I've committed this patch to both branches.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.