What gives?

Wanderer · December 2006

What's causing this (in a comment)...
onclick="return hs.expand(this)"

To turn into this...
onclick="return hs.expand(this)"

I suspected the HTML Formatter extension but I can't find any replace function that changes the o character into its corresponding code.

TomTester · December 2006

Sounds like a security feature to me... Does it also happen in code format?

WallPhone · December 2006

It is in the HTML formatter. The behavior is caused by this block, near line 226:

		//convert any events to a safe form
		$sReturn = preg_replace_callback(
			'/([^\w]+?)(o|O)n([\w]+)\s*=(.+?)/si',
			create_function(
				'$m',
				'return ($m[1].\'&#\'.ord($m[2]).\';\'.$m[3].\'=\'.$m[4]);'
			),
			$sReturn
		);

Wanderer · December 2006

Thanks WallPhone,
I couldn't see that for looking!

Now I am able to have Highslide inside a comment.

Posted: Thursday, 7 December 2006 (AEDT)

WallPhone · December 2006

Just a heads up--removing that block opens up the possibility of a cross site scripting attack. To keep the added functionality while still 'wearing protection', it's better to not remove the above block and instead code the generic script into a custom tag like is done for google video and youtube elsewhere in the extension. </disclaimer> Wow... /me likes Highslide. Wants it as an extension to attachments 2.0!

Wanderer · December 2006

Quote: WallPhone To keep the added functionality while still 'wearing protection',
it's better to not remove the above block and instead code the generic script into a custom tag
Thanks again mate, I appreciate what you say.

I didn't remove the entire block, I just made a little modification to allow the script.

If I knew how to go about the custom tag thing I would, for now I'm happy with being able to show off using the highslide script.

Posted: Thursday, 7 December 2006 (AEDT)

What gives?

Comments