Missing string escaping

  • Hi.

    Really loving your plugin so far.
    Alas, I’ve hit a snag:
    When configuring the map, after entering a filter label with a single-quote, the whole filters panel stops working.

    I’ve tracked it down to the JS you inject for variables not having any escaping.
    In /admin/partials/locate-and-filter-metabox-admin.php on line 477, when you’re echoing your display_filters var, there is zero escaping being done.

    So, for instance, if you enter “Some single-quote’s label”, you end up with 'Some single-quote's label' . As you can imagine, it doesn’t know what to do with “s label”.

    May I suggest that you create your variable in PHP and then simply json_encode the result that you output in your JS? That would prevent any escaping woes.

    Cheers,
    Michal

    • This topic was modified 3 years, 3 months ago by michalbluma.

    The page I need help with: [log in to see the link]

  • The topic ‘Missing string escaping’ is closed to new replies.