hi molily,

Hallo,

echo 'var buecher = new Array("' . implode('","', $_SESSION['buecher']) .'");' . PHP_EOL;

Bitte nicht nur meckern, sondern zeigen, wie es geht!

Die saubere Lösung hatte ChrisB schon aufgezeigt, sie lautet JSON.

Was müssen wir also escapen? Das zu diskutieren, wäre doch wünschenswert!

Das kommt auf den Kontext an. Hier ist der Kontext ein JavaScript-String.

Was ist mit: "Escaping Javascript

Javascript string literals in HTML are subject to significant restrictions particularly due to the potential for unquoted attributes and any uncertainty as to whether Javascript will be viewed as being CDATA or PCDATA by the browser. To eliminate any possible XSS vulnerabilities, Javascript escaping for HTML extends the escaping rules of both ECMAScript and JSON to include any potentially dangerous character. Very similar to HTML attribute value escaping, this means escaping everything except basic alphanumeric characters and the comma, period and underscore characters as hexadecimal or unicode escapes.

Javascript escaping applies to all literal strings and digits. It is not possible to safely escape other Javascript markup.

To escape data in the Javascript context, use Zend\Escaper\Escaper‘s escapeJs method. An extended set of characters are escaped beyond ECMAScript’s rules for Javascript literal string escaping in order to prevent misinterpretation of Javascript as HTML leading to the injection of special characters and entities."?

http://framework.zend.com/manual/2.1/en/modules/zend.escaper.escaping-javascript.html bzw. https://forum.selfhtml.org/?t=217757&m=1496870

mfg

tami