id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc
4380	Listblock: Stylename containing single quote will crash onclick method	mattis		"When a style contains a single quote in its title, it will crash the listblock.

Offending code (plugins/listblock/plugin.js):

{{{
add : function( value, html, title )
{
	var pendingHtml = this._.pendingHtml,
		id = 'cke_' + CKEDITOR.tools.getNextNumber();

	if ( !this._.started )
	{
		pendingHtml.push( '<ul class=cke_panel_list>' );
		this._.started = 1;
	}

	this._.items[ value ] = id;

	pendingHtml.push(
		'<li id=', id, ' class=cke_panel_listItem>' +
			'<a _cke_focus=1 hidefocus=true' +
				' title=""', title || value, '""' +
				' href=""javascript:void(\'', value, '\')""' +
				' onclick=""CKEDITOR.tools.callFunction(', this._.getClick(), ',\'', value, '\'); return false;"">',
				html || value,
			'</a>' +
		'</li>' );
},
}}}

As you can see, 'value' is passed verbatim into the pendingHtml array, which doesn't do anything to escape single quotes."	Bug	new	Normal		Core : Styles				antony.chandra@…