Home > Archive > PHP Pear > August 2006 > Re: [PEAR] HTML_QuickForm addOptions Value and htmlspecialchars
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Re: [PEAR] HTML_QuickForm addOptions Value and htmlspecialchars
|
|
| Alexey Borzov 2006-08-31, 6:58 pm |
| Hi,
led_belly wrote:
> When processed, the markup for the option is as follows:
>
> <option value="ga_merchants.php?op=deals&id=1963">Test Item</option>
>
> I am using javascript to load new content when an option is selected so the
> value of the option must be a valid URI (i.e.: I need '&' NOT '&').
>
> Any suggestions?
There is a javascript function in recent HTML_QuickForm_hierselect for
unescaping the HTML entities.
| |
| Justin Patrin 2006-08-31, 9:58 pm |
| On 8/31/06, Alexey Borzov <borz_off@cs.msu.su> wrote:
> Hi,
>
> led_belly wrote:
>
> There is a javascript function in recent HTML_QuickForm_hierselect for
> unescaping the HTML entities.
>
I'd just like to point out that & is not valid by itself in XHTML (and
not HTML, IIRC). It *has* to be escaped as & in order to be valid.
Note that this is also done to avoid XSS (Cross Site Scripting)
attacks.
Your browser *should* be replacing the & with & in the real value,
but this may be one of the places (in JS) where the value stays as the
original even though it technically shouldn't. When the value is
*submitted* again, however, it will almost surely be & and not &
--
Justin Patrin
|
|
|
|
|