From be8daabe3cc55101127b7e5c309f1cc8d45effe4 Mon Sep 17 00:00:00 2001
From: Peter Schojer <peter.schojer@appinf.com>
Date: Thu, 18 Sep 2008 12:29:56 +0000
Subject: [PATCH] escaping js values

---
 WebWidgets/ExtJS/src/TableRenderer.cpp         | 4 ++--
 WebWidgets/ExtJS/src/TextFieldCellRenderer.cpp | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/WebWidgets/ExtJS/src/TableRenderer.cpp b/WebWidgets/ExtJS/src/TableRenderer.cpp
index 918829aac..f03bfd859 100644
--- a/WebWidgets/ExtJS/src/TableRenderer.cpp
+++ b/WebWidgets/ExtJS/src/TableRenderer.cpp
@@ -130,7 +130,7 @@ Poco::WebWidgets::JSDelegate TableRenderer::createCellValueChangedServerCallback
 	// date fields cause problems here, and I only habe one cellclick event per table not per column!
 	// from the table get the TableColumn, from this get the renderer for the given col and render obj.value
 	// {(var r=obj.grid.getColumnModel().getRenderer(obj.column))?r(obj.value);:obj.value;}, hm renderer exists for everthing
-	addParams.insert(std::make_pair(Table::FIELD_VAL, "+obj.grid.getColumnModel().getRenderer(obj.column)(obj.value)")); 
+	addParams.insert(std::make_pair(Table::FIELD_VAL, "+escape(obj.grid.getColumnModel().getRenderer(obj.column)(obj.value))")); 
 	addParams.insert(std::make_pair(RequestHandler::KEY_EVID, Table::EV_CELLVALUECHANGED));
 	const std::string& success = pTable->cellValueChanged.getOnSuccess();
 
@@ -152,7 +152,7 @@ Poco::WebWidgets::JSDelegate TableRenderer::createBeforeCellValueChangedServerCa
 	// date fields cause problems here, and I only habe one cellclick event per table not per column!
 	// from the table get the TableColumn, from this get the renderer for the given col and render obj.value
 	// {(var r=obj.grid.getColumnModel().getRenderer(obj.column))?r(obj.value);:obj.value;}, hm renderer exists for everthing
-	addParams.insert(std::make_pair(Table::FIELD_VAL, "+obj.grid.getColumnModel().getRenderer(obj.column)(obj.value)")); 
+	addParams.insert(std::make_pair(Table::FIELD_VAL, "+escape(obj.grid.getColumnModel().getRenderer(obj.column)(obj.value))")); 
 	addParams.insert(std::make_pair(RequestHandler::KEY_EVID, Table::EV_BEFORECELLVALUECHANGED));
 	const std::string& success = pTable->beforeCellValueChanged.getOnSuccess();
 
diff --git a/WebWidgets/ExtJS/src/TextFieldCellRenderer.cpp b/WebWidgets/ExtJS/src/TextFieldCellRenderer.cpp
index 2449ad95e..a03d60623 100644
--- a/WebWidgets/ExtJS/src/TextFieldCellRenderer.cpp
+++ b/WebWidgets/ExtJS/src/TextFieldCellRenderer.cpp
@@ -143,8 +143,8 @@ Poco::WebWidgets::JSDelegate TextFieldCellRenderer::createTextChangedServerCallb
 	// change : ( Ext.form.Field field, Mixed newVal, Mixed oldVal )
 	static const std::string signature("function(field,newVal,oldVal)");
 	std::map<std::string, std::string> addParams;
-	addParams.insert(std::make_pair(TextFieldCell::FIELD_OLDVAL, "+oldVal"));
-	addParams.insert(std::make_pair(TextFieldCell::FIELD_NEWVAL, "+newVal"));
+	addParams.insert(std::make_pair(TextFieldCell::FIELD_OLDVAL, "+escape(oldVal)"));
+	addParams.insert(std::make_pair(TextFieldCell::FIELD_NEWVAL, "+escape(newVal)"));
 	addParams.insert(std::make_pair(RequestHandler::KEY_EVID, TextFieldCell::EV_TEXTCHANGED));
 	return Utility::createServerCallback(signature, addParams, pText->id(), pText->textChanged.getOnSuccess(), pText->textChanged.getOnFailure());
 }