Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#10943 closed defect (fixed)

dijit.Editor doesn't return valid value when ViewSource enabled

Reported by: coldwind Owned by: Jared Jurkiewicz
Priority: high Milestone: 1.6
Component: Editor Version: 1.4.0
Keywords: dijit._editor.plugins.ViewSource Cc:
Blocked By: Blocking:

Description

When I use dijit.Editor with ViewSource? plugin enabled I can't get editor's value from this mode.

I toggle ViewSource?, change some text and then trying to get it with dijit.byId('editor').attr('value'), but I receive old value.

Attachments (3)

viewlet-editor.png (30.4 KB) - added by mpawlow 9 years ago.
editor_viewsource_getvalue.patch (1.9 KB) - added by Jared Jurkiewicz 9 years ago.
Patch to swizzle getValue when in VSmode.
editor_viewsource_getvalue.2.patch (1.9 KB) - added by Jared Jurkiewicz 9 years ago.
Patch to swizzle getValue when in VSmode.

Download all attachments as: .zip

Change History (11)

comment:1 Changed 9 years ago by Adam Peller

Owner: set to Jared Jurkiewicz

comment:2 Changed 9 years ago by Jared Jurkiewicz

Resolution: invalid
Status: newclosed

That's expected. You will not get content back you enter until you toggle out of viewsource mode. This is by design to enforce that the script, comment, and iframe filters are executed on the content before it is allowed as valid editor input.

Allowing access to that content is extremely dangerous if it is not filtered, as it becomes a vector for XSS attacks.

comment:3 Changed 9 years ago by Jared Jurkiewicz

This is, in fact, documented in the plugin documentation:

http://docs.dojocampus.org/dijit/_editor/plugins/ViewSource

Section: Limitations. Bullet #4.

-- Jared

Changed 9 years ago by mpawlow

Attachment: viewlet-editor.png added

comment:4 Changed 9 years ago by mpawlow

Resolution: invalid
Status: closedreopened

This has become an issue in Rational Team Concert after adopting the View Source plug-in in place of our custom built source view for the HTML and Headlines viewlets.

Please see the following work item: https://jazz.net/jazz/resource/itemName/com.ibm.team.workitem.WorkItem/110866

Requiring the user to switch back to the Rich Text view from the Source view is problematic for the following reasons:

  • It is not obvious that you need to switch back to the Source view in order to sync up the editor contents
  • Switching back to the Rich Text view is an additional step in the editing work flow that is frustrating and should be unnecessary - especially for users who work primarily within the Source view only
  • The Source view is not treated as a first class citizen in terms of getting/saving contents

In the context of Web UI Dashboards, the HTML and Headlines viewlets allow the user to directly save the editor contents from the Source view. This is the behaviour they have come to expect with the old custom-built source view. Please see attached screen shot.

Given the current security requirements, is it possible to execute the script, comment, and iframe filters on the content when clients call the getValue method while still in the Source view? The filtering operations sound like they can be executed independently of the UI or presentation of the content in the Rich Text or Source views.

<snip> Execute filters regardless of presentation mode var html = this._editor.getValue(false); </snip>

Another alternative is to provide a programmatic way for the client to toggle the editor back and forth between the Rich Text and Source views - thereby, triggering the execution of filters indirectly. This solution is less desirable because the dijit Editor instance is cached and the presentation view the user was last in is preserved for their next editing task.

comment:5 Changed 9 years ago by Jared Jurkiewicz

Milestone: tbdfuture

It is possible to run the filters, yes (hack-over-ride getValue of the editor and such, get content, run filters, return). They're not filters in the same sense as the usual registered DOM filters. These are built directly into the plugin and are run on text before and after it goes in and out.

Feel free to provide patch to do so. I don't currently have time to work on this issue. My day job is consuming too much time, sorry. If time frees up for me I'll look at it, but right now I just don't have the time.

Changed 9 years ago by Jared Jurkiewicz

Patch to swizzle getValue when in VSmode.

Changed 9 years ago by Jared Jurkiewicz

Patch to swizzle getValue when in VSmode.

comment:6 Changed 9 years ago by Jared Jurkiewicz

Quick and dirty patch attached that swizzles out the 'getValue' when in source mode to pull from, and basic filter, the text area.

Feel free to test it out for problems.

comment:7 Changed 9 years ago by Jared Jurkiewicz

Resolution: fixed
Status: reopenedclosed

(In [22552]) Allowing source mode content pull with filtering. fixes #10943 \!strict

comment:8 Changed 9 years ago by bill

Milestone: future1.6
Note: See TracTickets for help on using tickets.