Bug #25485 for CGI: Needs Tests: autoEscape() bypassed for Javascript handlers, except in button()

> > I am using CGI 3.10 with perl 5.8.6 under Solaris 8. No hint was found > in the change log these bugs are fixed in newer versions, so I am going > to report them. > > Documentation: autoEscape(0) does *not* disable auto escaping. Using a > method with an undefined value does: $cgi->autoEscape(undef). > > From the documentation, one would expect deactivated auto escaping would > mean there is no auto escaping at all, but this is wrong for > *Javascript* handlers which are auto escaped regardless of the auto > escape setup. This is very confusing because it is not documented. > > Unfortunately, extra confusion is added by the fact that this bypassing > of the flag does *not* happen for the button() method. Here is a script > that demonstrates the behaviour: > > # textfield, password_field, textarea, popup_menu, scrolling_list, > checkbox_group, checkbox, radio_group, submit, image_button > > # pragmas > use strict; > use warnings; > > # modules > use CGI; > > # build object and deactivate auto escaping > my $cgi=new CGI; > $cgi->autoEscape(undef); > > # demonstrate the handling of Javascript code > # for the various controls > print $cgi->header, > > $cgi->start_form, > > $cgi->textfield( > { > default => 'text field', > onclick => 'alert("===> text field")', > }, > ), > > $cgi->password_field( > { > default => 'password field', > onclick => 'alert("===> password > field")', > }, > ), > > $cgi->textarea( > { > name => 'foo', > default => 'text area', > rows => 10, > columns => 50, > onclick => 'alert("===> text area")', > }, > ), > > $cgi->popup_menu( > { > name => 'menu_name', > values => ['eenie','meenie','minie'], > default => 'meenie', > onclick => 'alert("===> popup menu")', > } > ), > > $cgi->popup_menu( > -name=>'menu_name', > onclick => 'alert("===> menu group")', > -values=>[ > qw/eenie meenie minie/, > $cgi->optgroup( > - > name=>'optgroup_name', > onclick => > 'alert("===> menu group option")', > -values => > ['moe','catch'], > - > attributes=>{'catch'=>{'class'=>'red'}} > ) > ], > -labels=>{ > 'eenie'=>'one', > 'meenie'=>'two', > 'minie'=>'three' > }, > -default=>'meenie' > ), > > $cgi->scrolling_list( > -name=>'list_name', > onclick => 'alert("===> scrolling > list")', > - > values=>['eenie','meenie','minie','moe'], > -default=>['eenie','moe'], > -size=>5, > -multiple=>'true', > ), > > $cgi->checkbox_group( > -name=>'group_name', > onclick => 'alert("===> checkbox group")', > - > values=>['eenie','meenie','minie','moe'], > -default=>['eenie','moe'], > -linebreak=>'true', > ), > > $cgi->checkbox( > -name=>'checkbox_name', > onclick => 'alert("===> single checkbox")', > onchange => 'alert("===> single checkbox > changed")', > -checked=>1, > -value=>'ON', > -label=>'CLICK ME' > ), > > $cgi->radio_group( > { > name=>'group_name', > onclick => 'alert("===> radio group")', > values=>['eenie','meenie','minie','moe'], > rows=>2, > columns=>2, > } > ), > > $cgi->submit( > -name=>'button_name', > onclick => 'alert("===> submit button")', > -value=>'value' > ), > > $cgi->image_button( > -name=>'button_name', > onclick => 'alert("===> image button")', > -src=>'/source/URL', > -align=>'MIDDLE' > ), > > $cgi->button( > { > onclick => 'alert("===> Button")', > title => 'Button', > }, > ), > > $cgi->end_form, > > ; > > Finally, if it is possible I suggest to accelerate the escape function. > Switching off auto escaping became a need when it turned out in > profiling that autoEscape() calls took significant time in building a > form with dozens of controls. The script is faster with extra calls of > HTML::Entities::encode_entities() (for the data), but it would be great > and convenient if the same performance was possible without extra code. > > Thank you for a great module, and for the fixes in advance! > > >