Slideshow Tanks if Picture Captions Have Quotes in Them

[mike]

This should be a simple fix, but captions in the function generate_slideshow_js need to be escaped properly or else the JavaScript? will produce a parse error and a blank white box will appear on the slideshow.

[derek]

I urlencode()'d each param for the slide constructor function, then had the javascript constructor unescape() each value.

Caveat: Previously, Plogger wasn't using the the constructor at all; just accessing the member variables.

print 's = new slide();  
s.src = "'.plogger_get_picture_thumb(THUMB_LARGE).'";  
s.link = "'.plogger_get_source_picture_url().'";  
s.text = "'.plogger_get_picture_caption().'";  
s.image_name = "'.basename($pic['path']).'";';

This is practice is called insufficient encapsulation. Now, it's actually dangerous, because bypassing the constructor will mean your urlencode'd string will not get decoded (unescape'd) by the javascript; which will either still break the javascript or not get decoded.

echo 's = new slide("'.urlencode(plogger_get_picture_thumb(THUMB_LARGE)).'",  
"'.urlencode(plogger_get_source_picture_url()).'",  
"'.urlencode(plogger_get_picture_caption()).'",  
"_self","","","'.urlencode(basename($pic['path'])).'");';

The other method is to instead run htmlentities() before passing the values. From my testing the above works, but additional tests would be helpful.

Does anybody have a preference re: urlencode vs htmlentities?

[Mike]

Is URLEncode the proper function to use here? I was under the impression that URLEncode was used for, well, encoding URLS. This does some wacky replacements, like replacing a space with %20 and ampersands with %26. I think HTMLEntities would be much more appropriate.

The best solution would be to just escape the quotes, no?

[derek]

Well, with unescape() in js it urldecode's the values, so you never see all the funky ascii replacements (there are a lot).

I was trying to come up with a solution that was relatively enforceable. If htmlentities() is used as a solution, it's entirely dependent on the theme to pass the proper values. This way, at least things go foobar rather quickly if the themester doesn't use urlencoded values, because the js "escapes" all initial values.

I added the comments I did because I wondered if htmlentities() would be a better solution; actually, I think I just figured out the best solution: create html-safe functions that return htmlentities() values, which can be used anywhere for whever as necessary.

Mike, I'm stealing this ticket. ;)

[derek]

"unescapes", not "escapes"

[derek]

• changed in [391]; now function plogger_get_picture_caption() uses htmlentities() internally, thereby preventing anyone (including theme-writers) from gumming-up the works
• removed all URL encoding
• left all themes using the slide() constructor
• thanks to mike for the reality-check ;)