Properly escape parameters to Dwoo "a" blocks.

68c7cb0a · Chris Wilson · d3caa8b3 · 68c7cb0a
Commit 68c7cb0a authored Nov 14, 2011 by Chris Wilson
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

Plugin.php lib/Dwoo/Plugin.php +5 -1

No files found.
--- a/lib/Dwoo/Plugin.php
+++ b/lib/Dwoo/Plugin.php
@@ -73,10 +73,14 @@ abstract class Dwoo_Plugin
 			$out .= ' '.$attr.'=';
 			if (trim($val, '"\'')=='' || $val=='null') {
 				$out .= str_replace($delim, '\\'.$delim, '""');
+				// $out .= ' '.$delim.'.htmlentities('.$attr.').'.$delim.'=';
 			} elseif (substr($val, 0, 1) === $delim && substr($val, -1) === $delim) {
 				$out .= str_replace($delim, '\\'.$delim, '"'.substr($val, 1, -1).'"');
 			} else {
-				$out .= str_replace($delim, '\\'.$delim, '"') . $delim . '.'.$val.'.' . $delim . str_replace($delim, '\\'.$delim, '"');
+				// $out .= str_replace($delim, '\\'.$delim, '"') . $delim . '.'.$val.'.' . $delim . str_replace($delim, '\\'.$delim, '"');
+				$out .= str_replace($delim, '\\'.$delim, '"') .
+					$delim . '.htmlentities(' . $val . ').' . $delim .
+					str_replace($delim, '\\'.$delim, '"');
 			}
 		}