What gives?

edited December 2006 in Vanilla 1.0 Help
What's causing this (in a comment)...
onclick="return hs.expand(this)"

To turn into this...
onclick="return hs.expand(this)"

I suspected the HTML Formatter extension but I can't find any replace function that changes the o character into its corresponding code.

Comments

  • TomTesterTomTester New
    edited December 2006
    Sounds like a security feature to me... Does it also happen in code format?
  • edited December 2006
    It is in the HTML formatter. The behavior is caused by this block, near line 226:
    //convert any events to a safe form $sReturn = preg_replace_callback( '/([^\w]+?)(o|O)n([\w]+)\s*=(.+?)/si', create_function( '$m', 'return ($m[1].\'&#\'.ord($m[2]).\';\'.$m[3].\'=\'.$m[4]);' ), $sReturn );
  • Thanks WallPhone,
    I couldn't see that for looking! pic

    Now I am able to have Highslide inside a comment.

    Posted: Thursday, 7 December 2006 (AEDT)

  • edited December 2006
    Just a heads up--removing that block opens up the possibility of a cross site scripting attack. To keep the added functionality while still 'wearing protection', it's better to not remove the above block and instead code the generic script into a custom tag like is done for google video and youtube elsewhere in the extension. </disclaimer> Wow... /me likes Highslide. Wants it as an extension to attachments 2.0!
  •  Quote: WallPhone  To keep the added functionality while still 'wearing protection',
    it's better to not remove the above block and instead code the generic script into a custom tag
    Thanks again mate, I appreciate what you say.

    I didn't remove the entire block, I just made a little modification to allow the script.

    If I knew how to go about the custom tag thing I would, for now I'm happy with being able to show off using the highslide script.

    Posted: Thursday, 7 December 2006 (AEDT)

This discussion has been closed.