From c7283e1cae6bbdc13464a77ae7f22bd9489fe089 Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Sun, 20 Jul 2014 23:23:17 +0200 Subject: Defensive programming: more urlencode/htmlentities Make build_url return an URL, not HTML. This separates presentation from data. plugin_header's return value is unused, remove the unnecessary return. At places where `printf("", $x);` is used, it is now converted to `printf("", htmlentities($x));` since the single quote is not escaped by default by htmlentities. In case the canvas style is used, JS should use `textContent` instead of `innerHTML` to avoid reading `"` instead of `"`. Nobody (should) use(s) IE6 anymore, so it is a safe change. While at it, use the standard charset attribute of meta to specify the character set (UTF-8). --- js/CGP.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'js/CGP.js') diff --git a/js/CGP.js b/js/CGP.js index bbfd1b5..c30cfd2 100644 --- a/js/CGP.js +++ b/js/CGP.js @@ -66,7 +66,7 @@ function prepare_draw(id) { RrdGraph.prototype.mousex = 0; RrdGraph.prototype.mousedown = false; - var cmdline = document.getElementById(id).innerHTML; + var cmdline = document.getElementById(id).textContent; var gfx = new RrdGfxCanvas(id); var fetch = new RrdDataFile(); var rrdcmdline = null; -- cgit v1.1