Opened 8 years ago

Closed 8 years ago

#14784 closed defect (fixed)

_FormWidget and MappedTextBox replace ' with " in name attribute

Reported by: Justin Doherty Owned by: bill
Priority: undecided Milestone: 1.8
Component: Dijit - Form Version: 1.7.1
Keywords: Cc:
Blocked By: Blocking:

Description (last modified by Douglas Hays)

I am using Struts2 2.3.1.2 and Dojo 1.7.1. Struts2 allows population of a Map by setting the name of field to be like: <input ... name="mapName['mapKey']" .../>

Currently in Struts, or more specifically OpenSymphony's xwork library they validate parameter names using the following regex:

"\w+((\.\w+)|(\[\d+\])|(\(\d+\))|(\['\w+'\])|(\('\w+'\)))*"

Here is the documentation for struts on how to access map values: http://struts.apache.org/2.x/docs/type-conversion.html#TypeConversion-RelationshiptoParameterNames

My problem here is that _FormWidget and MappedTextBox both replace ' with &quot; for the nameAttrSetting property thus replacing my single quotes with &quot; making my parameter name no longer pass the above mentioned regex.

The code in both _FormWidget.js and MappedTextBox.js make references to http://www.w3.org/TR/REC-html40/appendix/notes.html#h-B.3.2 however the text in the link does not mention replacing single quote, it talks about replacing double quote with &quot;

I believe the the replacement here is in error and it should be replacing double quote and not single quote.

The lines of code in question are:

/dijit/form/MappedTextBox.js

line 79: this.valueNode = domConstruct.place("<input type='hidden'" + (this.name ? " name='" + this.name.replace(/'/g, "&quot;") + "'" : "") + "/>", this.textbox, "after");

/dijit/form/_FormWidget.js

line 70: this.nameAttrSetting = this.name ? ('name="' + this.name.replace(/'/g, "&quot;") + '"') : '';

I tried replacing this.name.replace(/'/g, "&quot;") with this.name.replace(/"/g, "&quot;") but found some problems with the resulting dom attributes in firebug so my suggestion would be to change them to:

this.name.replace(/"/g, "&quot;").replace(/'/g, "&#39;")

Attachments (1)

14784.patch (1.4 KB) - added by Douglas Hays 8 years ago.
patch to only escape double quote

Download all attachments as: .zip

Change History (5)

comment:1 Changed 8 years ago by Douglas Hays

Description: modified (diff)
Milestone: tbd1.8
Status: newassigned

Changed 8 years ago by Douglas Hays

Attachment: 14784.patch added

patch to only escape double quote

comment:2 Changed 8 years ago by Douglas Hays

Owner: changed from Douglas Hays to bill

This seems to have been broken by [21865] and [22538]. I don't see a need to escape a single quote at all.

comment:3 Changed 8 years ago by bill

I guess you are right, I'm not sure why I escaped single quotes in those checkins.

comment:4 Changed 8 years ago by bill

Resolution: fixed
Status: assignedclosed

In [27853]:

Fix quote escaping, thanks Doug, fixes #14784, refs #10970, #11442 !strict.

Note: See TracTickets for help on using tickets.