Fixed #390 and #391

author: ctrlaltca@gmail.com <> 2012-03-23 18:15:03 +0000
committer: ctrlaltca@gmail.com <> 2012-03-23 18:15:03 +0000
commit: e0de4ef01a644bccae872f60b3584a1755dcbc1f (patch)
tree: ec7aef2e1ea355f7dd9a89b2090beb54024502ee /UPGRADE
parent: 942bee46430fe06e17200a9f5a649768081d6eae (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/UPGRADE b/UPGRADE
index c05ff8ab..c329d99d 100644
--- a/UPGRADE
+++ b/UPGRADE
@@ -45,7 +45,9 @@ Upgrading from v3.1.x
 - Some TJavaScript methods have been modified to clear their use and provide better xss protection:
   the undocumented quoteUTF8() was removed, since it didn't provide any real protection;
   quoteString() now safely adds quotes around a string: previously it only added escape characters;
-  the json* family of methods actually checks for errors and generate exceptions on fail.
+  the json* family of methods actually checks for errors and generate exceptions on fail;
+  strings beginning with "javascript:" doesn't bypass security checks in TJavascript::encode(), you need
+  to explicitly use TJavascript::quoteFunction() to ensure raw javascript will be published.
 - The php JSON extension is required; it ships by default with php 5.3 and is a lot faster that the old
   TJSON-based implementation. TJSON has been removed, if you were calling it directly to encode/decode
   you can switch to TJavaScript::jsonEncode(), TJavaScript::jsonDecode().
author	ctrlaltca@gmail.com <>	2012-03-23 18:15:03 +0000
committer	ctrlaltca@gmail.com <>	2012-03-23 18:15:03 +0000
commit	e0de4ef01a644bccae872f60b3584a1755dcbc1f (patch)
tree	ec7aef2e1ea355f7dd9a89b2090beb54024502ee /UPGRADE
parent	942bee46430fe06e17200a9f5a649768081d6eae (diff)