/**
* Outputs a HTML attribute and value
* @param string $name The name of the attribute ('src', 'href', 'class' etc.)
- * @param string $value The value of the attribute
+ * @param string $value The value of the attribute. The value will be escaped with {@link s()}
* @return string HTML fragment
*/
protected function output_attribute($name, $value) {
if ($value == HTML_ATTR_EMPTY) {
return ' ' . $name . '=""';
} else if ($value || is_numeric($value)) { // We want 0 to be output.
- return ' ' . $name . '="' . $value . '"';
+ return ' ' . $name . '="' . s($value) . '"';
}
}
/**
* Outputs a list of HTML attributes and values
* @param array $attributes The tag attributes (array('src' => $url, 'class' => 'class1') etc.)
+ * The values will be escaped with {@link s()}
* @return string HTML fragment
*/
protected function output_attributes($attributes) {
*
* @param mixed $url The URL (moodle_url or string)
* @param bool $stripformparams Whether or not to strip the query params from the URL
- * @return string
+ * @return string the URL. &s are unescaped. You must use s(...) to output this to XHTML. ($OUTPUT normally does this automatically.)
*/
function prepare_url($url, $stripformparams=false) {
global $CFG, $PAGE;
$output = $url;
if ($url instanceof moodle_url) {
- $output = $url->out($stripformparams);
+ $output = $url->out($stripformparams, array(), false);
}
// Handle relative URLs
projects / moodle.git / commitdiff