Listblock: Stylename containing single quote will crash onclick method

[mattis]

When a style contains a single quote in its title, it will crash the listblock.

Offending code (plugins/listblock/plugin.js):

add : function( value, html, title )
{
	var pendingHtml = this._.pendingHtml,
		id = 'cke_' + CKEDITOR.tools.getNextNumber();

	if ( !this._.started )
	{
		pendingHtml.push( '<ul class=cke_panel_list>' );
		this._.started = 1;
	}

	this._.items[ value ] = id;

	pendingHtml.push(
		'<li id=', id, ' class=cke_panel_listItem>' +
			'<a _cke_focus=1 hidefocus=true' +
				' title="', title || value, '"' +
				' href="javascript:void(\'', value, '\')"' +
				' onclick="CKEDITOR.tools.callFunction(', this._.getClick(), ',\'', value, '\'); return false;">',
				html || value,
			'</a>' +
		'</li>' );
},

As you can see, 'value' is passed verbatim into the pendingHtml array, which doesn't do anything to escape single quotes.

[antony.chandra]

replacing single quotes to its html entity so the ckeditor function call wont break will fix this issue. see the fix below.

Replying to mattis:

When a style contains a single quote in its title, it will crash the listblock.

Offending code (plugins/listblock/plugin.js):

add : function( value, html, title )
{
	var pendingHtml = this._.pendingHtml,
		id = 'cke_' + CKEDITOR.tools.getNextNumber();

	if ( !this._.started )
	{
		pendingHtml.push( '<ul class=cke_panel_list>' );
		this._.started = 1;
	}

	this._.items[ value ] = id;

value = value.replace(/'/g, '\\\'');

pendingHtml.push(

'<li id=', id, ' class=cke_panel_listItem>' +

'<a _cke_focus=1 hidefocus=true' +

' title="', title

value, '"' +

' href="javascript:void(\, value, '\')"' + ' onclick="CKEDITOR.tools.callFunction(', this._.getClick(), ',\, value, '\'); return false;">',

html

value,

'</a>' +

'</li>' );

}, }}}

As you can see, 'value' is passed verbatim into the pendingHtml array, which doesn't do anything to escape single quotes.