Opened 14 years ago

Closed 13 years ago

Last modified 12 years ago

#478 closed defect (fixed)

Buggy string injection in buildFromTemplate in domWidget

Reported by: henrik@… Owned by: dylan
Priority: high Milestone:
Component: Widgets Version: 0.2
Keywords: Cc:
Blocked By: Blocking:

Description

Say you have a template like this: <div id="${this.widgetId}" class="dojoFloatingPane" dojoAttachEvent="onMouseDown">

This ususally works fine, but not for all exotic values of this.widgetId. I for example have found it nice to put some inline json representation as widgetId:s, I'd typic do like this: <div dojoType="EditorTreeNode?" widgetId="{&quot;folder&quot;:15}" title="Notes">

The &quot will be translated to " so the widgetId becomes correct json, but will then be substituted back as it is into the template. The problem is that the substituted template will look like this: <div id="{"folder":15}" ... ,

which is wrong by both common sense and standards.

In the end I got only "{" as widget-Id:s.

The resolution is below, Thanks,

Henrik Hjelte


Insert these lines at line 452 in domWidget.js

	// Safer substitution, see heading "Attribute values" in  
	// http://www.w3.org/TR/REC-html40/appendix/notes.html#h-B.3.2
	while (value.indexOf(""") > -1)
		value=value.replace(""","&quot;");

In a larger context it now looks like this:

// FIXME: this is a lot of string munging. Can we make it faster?
for(var i = 0; i < matches.length; i++) {
	var key = matches[i];
	key = key.substring(2, key.length-1);
	var kval = (key.substring(0, 5) == "this.") ? this[key.substring(5)] : hash[key];
	var value;
	if((kval)||(dojo.lang.isString(kval))){
		value = (dojo.lang.isFunction(kval)) ? kval.call(this, key, this.templateString) : kval;
		// Safer substitution, see heading "Attribute values" in  
		// http://www.w3.org/TR/REC-html40/appendix/notes.html#h-B.3.2
		while (value.indexOf(""") > -1)
			value=value.replace(""","&quot;");
		tstr = tstr.replace(matches[i], value);
	}
}

Change History (8)

comment:1 Changed 14 years ago by anonymous

Milestone: 0.3release

comment:2 Changed 14 years ago by alex

I'm not sure why you think we should fix this. This is a browser attribute escaping issue and I think it's just easier to tell you not to use &quot; and instead us a "'" char.

Regards

comment:3 Changed 14 years ago by Henrik Hjelte

I think it should be fixed because it is a bug. Dojo doesn't follow the W3C recommendations for its own templates. And I have the solution so why hesitate to apply it? It's not a problem for me anymore, but maybe for the someone else. It's not the kind of bug that beeps loudly either... Parts of id:s mysteriouly dissappearing, a case for Sherlock Holmes.

If you think it's better to prohibit double quotes, I think it at least should be documented somewhere. Just my two cents.

Best regards,

comment:4 Changed 14 years ago by skinner

Milestone: 0.3release0.4

comment:5 Changed 13 years ago by dylan

Owner: changed from anonymous to dylan
Status: newassigned

comment:6 Changed 13 years ago by dylan

Resolution: fixed
Status: assignedclosed

We need this for svg widgets, where you can't just use a " character.

comment:7 Changed 13 years ago by dylan

fixed in [5318]

comment:8 Changed 12 years ago by (none)

Milestone: 0.4

Milestone 0.4 deleted

Note: See TracTickets for help on using tickets.