Priority: Urgent
Current State: Closed
Released In: 1.0.0
Target Release: patch
Applies To: Engine
Component:
Branches:
A lib file should not assume javascript. Especially because this is inserted in default skin that does not load any javascript .Line 280 in
Form.pm
Agreed; and because of the potential for a XSS exploit by this route, I'm confirming it and raising it to Urgent.
The obvious solution is to template the function.
The correct way is to use unobtrusive javascript, as with BehaviourContrib or JQuery.
Looking at it I couldn't see the point of having the function call at all. The
target
attribute should suffice for that application.
--
CrawfordCurrie - 11 Dec 2008
Except when we want to conform to strict XHTML.
--
ArthurClemens - 11 Dec 2008
Ho ho ho that's a good one!
--
CrawfordCurrie - 11 Dec 2008