Add wfEscapeJsString() function to do proper escaping of JavaScript string literals.
$image=$wgStylePath.'/common/images/'.$tool['image'];
$open=$tool['open'];
$close=$tool['close'];
- $sample = addslashes( $tool['sample'] );
+ $sample = wfEscapeJsString( $tool['sample'] );
// Note that we use the tip both for the ALT tag and the TITLE tag of the image.
// Older browsers show a "speedtip" type message only for ALT.
$toolbar.="addButton('$image','$tip','$open','$close','$sample');\n";
}
- $toolbar.="addInfobox('" . addslashes( wfMsg( "infobox" ) ) . "','" . addslashes(wfMsg("infobox_alert")) . "');\n";
+ $toolbar.="addInfobox('" . wfEscapeJsString( wfMsg( "infobox" ) ) .
+ "','" . wfEscapeJsString( wfMsg( "infobox_alert" ) ) . "');\n";
$toolbar.="document.writeln(\"</div>\");\n";
$toolbar.="/*]]>*/\n</script>";
return $out;
}
+/**
+ * Returns an escaped string suitable for inclusion in a string literal
+ * for JavaScript source code.
+ * Illegal control characters are assumed not to be present.
+ *
+ * @param string $string
+ * @return string
+ */
+function wfEscapeJsString( $string ) {
+ // See ECMA 262 section 7.8.4 for string literal format
+ $pairs = array(
+ "\\" => "\\\\",
+ "\"" => "\\\"",
+ "\'" => "\\\'",
+ "\n" => "\\n",
+ "\r" => "\\r",
+
+ # To avoid closing the element or CDATA section
+ "<" => "\\x3c",
+ ">" => "\\x3e",
+ );
+ return strtr( $string, $pairs );
+}
+
/**
* @todo document
* @return float
/** @todo document */
function tocList($toc) {
return "<table id='toc' class='toc'><tr><td>"
- . "<div id='toctitle'><h2>" . wfMsg('toc') . "</h2></div>\n"
+ . "<div id='toctitle'><h2>" . wfMsgForContent('toc') . "</h2></div>\n"
. $toc
. "</ul>\n</td></tr></table>\n"
. '<script type="text/javascript">'
. ' if (window.showTocToggle) {'
- . ' var tocShowText = "' . addslashes( wfMsg('showtoc') ) . '";'
- . ' var tocHideText = "' . addslashes( wfMsg('hidetoc') ) . '"; '
+ . ' var tocShowText = "' . wfEscapeJsString( wfMsgForContent('showtoc') ) . '";'
+ . ' var tocHideText = "' . wfEscapeJsString( wfMsgForContent('hidetoc') ) . '";'
. ' showTocToggle();'
. ' } '
. "</script>\n";