mirror of
https://github.com/e107inc/e107.git
synced 2025-01-17 12:48:24 +01:00
f6d6d1b185
`e_parse::toJS()`, documented with the description > Convert text blocks which are to be embedded within JS , does not protect strings from injections, which appears to be its primary use. Additionally, it performs multiple unrelated string modifications: * Replace Windows line breaks with a literal `\\n` (which would later be parsed as `\n` in JavaScript/JSON) * Does not modify Unix line breaks (`\n`), which is inconsistent with the Windows line break behavior * Removes HTML tags * Replaces HTML entities as `htmlentities()` does This method cannot be fixed because its usages are inconsistent. Most notably, some usages surround the method's output in single quotes while others surround it with double quotes. Strings cannot be JSON-encoded without confounding quotation mark styles. All core usages of `e_parse::toJS()` have been replaced with alternatives, which are also documented in the method's DocBlock. Fixes: #4546