From 67d6775f54e677a5793f1566ab7e5984169ef2ab Mon Sep 17 00:00:00 2001 From: Nathan Gray Date: Fri, 19 Jul 2013 18:03:47 +0000 Subject: [PATCH] Use htmlspecialchars to escape data-attributes --- phpgwapi/inc/class.egw_framework.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpgwapi/inc/class.egw_framework.inc.php b/phpgwapi/inc/class.egw_framework.inc.php index 5c02f74a7a..6cfc1342d4 100644 --- a/phpgwapi/inc/class.egw_framework.inc.php +++ b/phpgwapi/inc/class.egw_framework.inc.php @@ -852,7 +852,7 @@ abstract class egw_framework foreach($extra as $name => $value) { if (is_array($value)) $value = json_encode($value); - $java_script .= ' data-'.$name."='".str_replace("'", '\\\'', $value)."'"; + $java_script .= ' data-'.$name."=\"". html::htmlspecialchars($value)."\""; } $java_script .= ">\n";