From e0de4ef01a644bccae872f60b3584a1755dcbc1f Mon Sep 17 00:00:00 2001 From: "ctrlaltca@gmail.com" <> Date: Fri, 23 Mar 2012 18:15:03 +0000 Subject: Fixed #390 and #391 --- UPGRADE | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'UPGRADE') diff --git a/UPGRADE b/UPGRADE index c05ff8ab..c329d99d 100644 --- a/UPGRADE +++ b/UPGRADE @@ -45,7 +45,9 @@ Upgrading from v3.1.x - Some TJavaScript methods have been modified to clear their use and provide better xss protection: the undocumented quoteUTF8() was removed, since it didn't provide any real protection; quoteString() now safely adds quotes around a string: previously it only added escape characters; - the json* family of methods actually checks for errors and generate exceptions on fail. + the json* family of methods actually checks for errors and generate exceptions on fail; + strings beginning with "javascript:" doesn't bypass security checks in TJavascript::encode(), you need + to explicitly use TJavascript::quoteFunction() to ensure raw javascript will be published. - The php JSON extension is required; it ships by default with php 5.3 and is a lot faster that the old TJSON-based implementation. TJSON has been removed, if you were calling it directly to encode/decode you can switch to TJavaScript::jsonEncode(), TJavaScript::jsonDecode(). -- cgit v1.2.3