#16452 closed defect (fixed)
security exceptions setting name through innerHTML (Windows 8 apps)
Reported by: | Paul Christopher | Owned by: | bill |
---|---|---|---|
Priority: | undecided | Milestone: | 1.9 |
Component: | Dijit | Version: | 1.8.1 |
Keywords: | Cc: | ||
Blocked By: | Blocking: |
Description
Broken off from #16432...
Windows 8 applications by default throw exceptions when the app tries to create a DOMNode with the name attribute via assignment to innerHTML, i.e.:
foo.innerHTML = "<input name=bar>";
This bites dijit in two (known) places:
- MappedTextBox
- the templates for the form widgets that don't extend MappedTextBox, that contain the ${nameAttrSetting} substitution variable.
The irony is that we are setting the "name" attribute through innerHTML, rather than saying node.setAttribute("name", ...), to workaround bugs in old versions of IE (IE6 and IE7 IIRC).
The solution is to either use MSApp.execUnsafeLocalFunction(), or to to use node.setAttribute("name", ...).
Change History (7)
comment:1 Changed 8 years ago by
Reporter: | changed from bill to Paul Christopher |
---|
comment:2 Changed 8 years ago by
Milestone: | tbd → 1.9 |
---|---|
Status: | new → assigned |
comment:4 Changed 8 years ago by
This commit is breaking applications that set name="something" on widgets that are inheriting from Button but do not have a valueNode. They now throw an exception they did not throw before (it seems from previous code valueNode used to be optional, it is not anymore). See my comment on this other ticket:
comment:5 Changed 8 years ago by
OK, understood. I'll add workaround code in Button just so people don't claim that dojo is broken, although if there are widgets that extended Button and yet don't specify a value node, it really seems like an error in those classes. In other words, whenever you subclass a widget you need to specify all the attach-points that the original widget had, and I don't see why Button should be different just because it didn't used to cause an exception.
BTW Paul, you shouldn't have made a username with spaces in it, it apparently stops you from being CC'd on tickets. I marked #16451 and this ticket from you though since they are based on your original ticket.