patch for #393 + updated docs

3 files changed, 15 insertions, 7 deletions

diff --git a/HISTORY b/HISTORY
index 56fb4a23..0cf27d29 100644
--- a/HISTORY
+++ b/HISTORY
@@ -26,7 +26,7 @@ BUG: Issue  #91 - TActiveCustomValidator can not be updated in JavaScript callba
 ENH: Issue #106 - TJavaScript::jsonEncode and TJavaScript::jsonDecode should use built-in PHP functions (ctrlaltca)
 ENH: Issue #173 - Add "dragdropextra" (supergsting) patch, mouse coordinates and key status to drag & drop controls (Christophe, DevWorx)
 BUG: Issue #179 - Serialization issues in Prado (ctrlaltca)
-BUG: Issue #181 - Fixed regression introduced by the patch for #181 (ctrlaltca)
+BUG: Issue #181 - Reworked a better patch to handle clientside event handling (gabor)
 BUG: Issue #203 - Workaround for ->CallbackClient->click under IE<=8 (ctrlaltca)
 BUG: Issue #232 - Could not change enable-state of TActiveCheckBox via Ajax callback (Christophe)
 ENH: Issue #235 - Progressive rendering not possible (Gabor)
@@ -69,6 +69,7 @@ BUG: Issue #383 - Some THttpRequest methods raise NOTICE level errors on missing
 BUG: Issue #388 - Output caching will raise error in Performance mode (gabor)
 BUG: Issue #390 - TJavaScript::encode() float encoding depends on current locale (gabor)
 BUG: Issue #391 - TJavaScript::encode() provides no simple way to pass strings in an XSS-safe way (gabor, ctrlaltca)
+BUG: Issue #393 - 	THttpResponse::redirect() fails if output buffering has been disabled completely (gabor)
 
 Version 3.1.10 Jul 17, 2011
 BUG: Added missing timeout on TCacheHttpSession (ctrlaltca)
diff --git a/UPGRADE b/UPGRADE
index c329d99d..1613e01d 100644
--- a/UPGRADE
+++ b/UPGRADE
@@ -43,10 +43,14 @@ Upgrading from v3.1.x
   information is available. Previously some of them returned an empty string (getQueryString and
   getHttpProtocolVersion), some other returned null, others caused a php NOTICE.
 - Some TJavaScript methods have been modified to clear their use and provide better xss protection:
-  the undocumented quoteUTF8() was removed, since it didn't provide any real protection;
-  quoteString() now safely adds quotes around a string: previously it only added escape characters;
-  the json* family of methods actually checks for errors and generate exceptions on fail;
-  strings beginning with "javascript:" doesn't bypass security checks in TJavascript::encode(), you need
+  1. the undocumented quoteUTF8() was removed, since it didn't provide any real protection;
+  2. quoteString() now safely adds quotes around a string: previously it only added escape characters;
+  3. the json* family of methods actually checks for errors and generate exceptions on fail;
+  4. strings beginning with "javascript:", enclosed in {..} or [..] were previously meant to bypass any
+  encoding in TJavascript::encode(): this could introduce xss vulnerabilities. Now everything always gets
+  encoded, if you need a string to bypass encoding, prepare it with TJavaScript::quoteJsLiteral(). To
+  achieve the same result on control properties defined in a template, prefix the property name with 
+  "js" and prado will figure it out automatically.
   to explicitly use TJavascript::quoteFunction() to ensure raw javascript will be published.
 - The php JSON extension is required; it ships by default with php 5.3 and is a lot faster that the old
   TJSON-based implementation. TJSON has been removed, if you were calling it directly to encode/decode
diff --git a/framework/Web/THttpResponse.php b/framework/Web/THttpResponse.php
index 1f0bf6f2..d76648b7 100644
--- a/framework/Web/THttpResponse.php
+++ b/framework/Web/THttpResponse.php
@@ -426,8 +426,8 @@ class THttpResponse extends TModule implements ITextWriter
 	 */

 	public function httpRedirect($url)

 	{

-		if(!$this->getApplication()->getRequestCompleted())

-			$this->getApplication()->onEndRequest();

+		$this->ensureHeadersSent();

+

 		if($url[0]==='/')

 			$url=$this->getRequest()->getBaseUrl().$url;

 		if ($this->_status >= 300 && $this->_status < 400)

@@ -436,6 +436,9 @@ class THttpResponse extends TModule implements ITextWriter
 		else

 			header('Location: '.str_replace('&amp;','&',$url));

 

+		if(!$this->getApplication()->getRequestCompleted())

+			$this->getApplication()->onEndRequest();

+

 		exit();

 	}