From 2ff5031c1d223b10b74738519833122d08595fa6 Mon Sep 17 00:00:00 2001
From: bradymiller <bradymiller@users.sourceforge.net>
Date: Sat, 12 Mar 2011 13:55:45 -0800
Subject: [PATCH] Quick bug fix: Escaping of a string literal within an onClick
 tag.

Pretty tough fix. For some reason, it works if run through addslashes()
and htmlspecialchars(). Pretty weird. We should avoid ever displaying
javascript code that needs to be escaped if within the onClick tag to
avoid this situation.
Further discussed here:
http://stackoverflow.com/questions/97578/how-do-i-escape-a-string-inside-javascript-inside-an-onclick-handler
---
 library/ajax/payment_ajax.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/library/ajax/payment_ajax.php b/library/ajax/payment_ajax.php
index 586c4a10d..91206c17d 100644
--- a/library/ajax/payment_ajax.php
+++ b/library/ajax/payment_ajax.php
@@ -152,7 +152,7 @@ function AjaxDropDownCode()
 		$Name=$lname.' '.$fname.' '.$mname;
 		$DOB=oeFormatShortDate($row['DOB']);
 		$StringForAjax.="<tr class='text'  bgcolor='$bgcolor' id=\"tr_insurance_$CountIndex\"
-		 onkeydown='ProcessKeyForColoring(event,$CountIndex);$StringToAppend2(event,\"".htmlspecialchars($Id,ENT_QUOTES)."\",\"".htmlspecialchars($Name,ENT_QUOTES)."\")'   onclick='$StringToAppend(\"".htmlspecialchars($Id,ENT_QUOTES)."\",\"".htmlspecialchars($Name,ENT_QUOTES)."\")'>
+		 onkeydown='ProcessKeyForColoring(event,$CountIndex);$StringToAppend2(event,\"".htmlspecialchars($Id,ENT_QUOTES)."\",\"".htmlspecialchars($Name,ENT_QUOTES)."\")' onclick=\"$StringToAppend('".addslashes($Id)."','".htmlspecialchars(addslashes($Name),ENT_QUOTES)."')\">
 			<td><a id='anchor_insurance_code_$CountIndex' href='#' >".htmlspecialchars($Id)."</a></td>
 			<td><a href='#'>".htmlspecialchars($lname)."</a></td>
 		    <td><a href='#'>".htmlspecialchars($fname)."</a></td>
@@ -216,4 +216,4 @@ function AjaxDropDownCode()
 	die;
    }
  }
-?>
\ No newline at end of file
+?>
-- 
2.11.4.GIT