Escaping of title doesn't work

[GoogleCodeExporter]

The slimbox reads the title attribute from the img-tag, but unfortunately
it doesn't escape the value. Even if the text is correctly escaped in HTML
it'll be run when opening the slimbox layer.

Steps to reproduce the problem:
1. Create a lightbox Gallery with this code:

<a href="test.jpg" rel="lightbox-gallery"
title="&lt;script&gt;alert(&#039;tadaaa&#039;)&lt;/script&gt;"><img
src="test_sm.jpg" alt="" /></a>

When clicking on the picture, the lightbox opens and an alert box "tadaaa"
shows up. I'd expect slimbox to escape the title value and not allow any
script execution...

Tested in FF 3.0.10, IE 8.0 width slimbox v2.02

Original issue reported on code.google.com by nuramo...@gmail.com on 26 May 2009 at 1:46

[GoogleCodeExporter]

The browser does this, not Slimbox. And it is actually a good thing since it 
allows
you to insert HTML in the image captions, not just simple text AND still produce
valid HTML in your pages.

And you can still escape the text like you want: you just need to double-escape 
the
text by replacing "&" with "&". Like this:

<a href="test.jpg" rel="lightbox-gallery"
title="&lt;script&gt;alert(&#039;tadaaa&#039;)&lt;/script&gt;"><img
src="test_sm.jpg" alt="" /></a>

If you do this programmatically (in PHP or others), just call escape() twice. 
It will
work.

Then no "tadaa" anymore.

Original comment by christophe.beyls@gmail.com on 20 Aug 2009 at 12:06

• Changed state: Invalid