param html escaping

[GoogleCodeExporter]

What steps will reproduce the problem?
1. pass a string containing a special html character as parameter
2. embedSWF(_,_,_,_,_,_,_, /* parObj: */ { test: ' " > < & ' })
3. try it in windows IE

What is the expected output? What do you see instead?

Expected output:
  <param name="test" value=" &quot; &gt; &lt; &amp; " />
Output I got:
  <param name="test" value=" " > < & " />

I think it's not correct.

What version of the product are you using? On what operating system?

 - SWFObject version 2.1
 - Microsoft Internet Explorer 6.0
 - Microsoft Windows XP

Please provide any additional information below.

Easy to fix:

1. Define a new function:

    var escapeHTML= function(s) {
      return String(s)
        .replace(/&/g, "&amp;")
        .replace(/"/g, "&quot;")
        .replace(/</g, "&lt;")
        .replace(/>/g, "&gt;");
    };

2. Fix the related part of html builder code.

In my swfobject.js (release 2_1) it's located at line 371.

Before:
  par += '<param name="' + j + '" value="' + parObj[j] + '" />';

After:
  par +=
    '<param name="' + escapeHTML(j) +
    '" value="' + escapeHTML(parObj[j]) + '" />';

Original issue reported on code.google.com by kondi.e...@gmail.com on 22 Jul 2008 at 1:31

[GoogleCodeExporter]

This is not a bug, encoding special characters is the job of a web authors.

Original comment by bobbyvandersluis on 23 Jul 2008 at 2:23

• Changed state: Invalid

[GoogleCodeExporter]

But if I encode it then it will double-encoded in other browsers.
(setAttribute vs outerHTML)

Original comment by kondi.e...@gmail.com on 23 Jul 2008 at 4:55

[GoogleCodeExporter]

I don't get the point, where would you need this for anyway?

Original comment by bobbyvandersluis on 23 Jul 2008 at 7:44