|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2018-07-25 16:56 UTC] nicolas dot dermine at gmail dot com
Description: ------------ We output some HTML markup inside a json_encoded string, with double quotes replaced by `\u0022` (with the `JSON_HEX_QUOT` flag) the HTML markup contains a `<a href="javascript:...>` link which becomes `<a href=\u0022javascript:...>` when json_encoded we also use `output_add_rewrite_var`, and had no problem when using PHP 5.6 or PHP 7.0 (i.e .the parameter was not added, since this a JavaScript call, not a URL), but it seems since PHP 7.1.0 the URL parameter is added just before the first argument of the JavaScript function in the `href` attribute, resulting in a JavaScript error when it is clicked. Test script: --------------- <?php // tried this on https://3v4l.org/fmRvE output_add_rewrite_var('param_name', 'param_value'); ini_set('url_rewriter.tags', 'a=href'); echo '"<a href=\\u0022javascript:someFunc(\'some arg\')\\u0022>link 2</a>"'; Expected result: ---------------- Output for 5.6.30, 7.0.30 - 7.0.31 "<a href=\u0022javascript:someFunc('some arg')\u0022>link 2</a>" Actual result: -------------- Output for 7.1.0 - 7.3.0alpha4 "<a href=\u0022javascript:someFunc(?param_name=param_value'some arg')\u0022>link 2</a>" (the added `?param_name=param_value` after the opening parenthesis causes a JavaScript error when the link is clicked.) PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Oct 29 11:00:01 2025 UTC |
This is conceptionally tricky. The issue isn't the javascript: URL, but rather that the URL rewriter does not expect EcmaScript Unicode escape characters. If these are present, that can cause all kinds of misbehavior, e.g. "<a href=\\u0022ftp://example.com\\u0022>link 2</a>" will also be rewritten, even though ftp:// URLs are not supposed to. Not sure how to address this.