What gives?

Wanderer

What's causing this (in a comment)...
onclick="return hs.expand(this)"

To turn into this...
onclick="return hs.expand(this)"

I suspected the HTML Formatter extension but I can't find any replace function that changes the o character into its corresponding code.

TomTester

Sounds like a security feature to me... Does it also happen in code format?

WallPhone

It is in the HTML formatter. The behavior is caused by this block, near line 226:
//convert any events to a safe form $sReturn = preg_replace_callback( '/([^\w]+?)(o|O)n([\w]+)\s*=(.+?)/si', create_function( '$m', 'return ($m[1].\'&#\'.ord($m[2]).\';\'.$m[3].\'=\'.$m[4]);' ), $sReturn );

Wanderer

Thanks WallPhone,
I couldn't see that for looking!

Now I am able to have Highslide inside a comment.

Posted: Thursday, 7 December 2006 (AEDT)

WallPhone

Just a heads up--removing that block opens up the possibility of a cross site scripting attack. To keep the added functionality while still 'wearing protection', it's better to not remove the above block and instead code the generic script into a custom tag like is done for google video and youtube elsewhere in the extension. </disclaimer> Wow... /me likes Highslide. Wants it as an extension to attachments 2.0!

Wanderer

 Quote: WallPhone  To keep the added functionality while still 'wearing protection',
it's better to not remove the above block and instead code the generic script into a custom tag
Thanks again mate, I appreciate what you say.

I didn't remove the entire block, I just made a little modification to allow the script.

If I knew how to go about the custom tag thing I would, for now I'm happy with being able to show off using the highslide script.

Posted: Thursday, 7 December 2006 (AEDT)