#478 closed defect (fixed)
Buggy string injection in buildFromTemplate in domWidget
| Reported by: | Owned by: | dylan | |
|---|---|---|---|
| Priority: | high | Milestone: | |
| Component: | Widgets | Version: | 0.2 |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: |
Description
Say you have a template like this: <div id="${this.widgetId}" class="dojoFloatingPane" dojoAttachEvent="onMouseDown">
This ususally works fine, but not for all exotic values of this.widgetId. I for example have found it nice to put some inline json representation as widgetId:s, I'd typic do like this: <div dojoType="EditorTreeNode?" widgetId="{"folder":15}" title="Notes">
The " will be translated to " so the widgetId becomes correct json, but will then be substituted back as it is into the template. The problem is that the substituted template will look like this: <div id="{"folder":15}" ... ,
which is wrong by both common sense and standards.
In the end I got only "{" as widget-Id:s.
The resolution is below, Thanks,
Henrik Hjelte
Insert these lines at line 452 in domWidget.js
// Safer substitution, see heading "Attribute values" in
// http://www.w3.org/TR/REC-html40/appendix/notes.html#h-B.3.2
while (value.indexOf(""") > -1)
value=value.replace(""",""");
In a larger context it now looks like this:
// FIXME: this is a lot of string munging. Can we make it faster?
for(var i = 0; i < matches.length; i++) {
var key = matches[i];
key = key.substring(2, key.length-1);
var kval = (key.substring(0, 5) == "this.") ? this[key.substring(5)] : hash[key];
var value;
if((kval)||(dojo.lang.isString(kval))){
value = (dojo.lang.isFunction(kval)) ? kval.call(this, key, this.templateString) : kval;
// Safer substitution, see heading "Attribute values" in
// http://www.w3.org/TR/REC-html40/appendix/notes.html#h-B.3.2
while (value.indexOf(""") > -1)
value=value.replace(""",""");
tstr = tstr.replace(matches[i], value);
}
}
Change History (8)
comment:1 Changed 14 years ago by
| Milestone: | → 0.3release |
|---|
comment:2 Changed 14 years ago by
comment:3 Changed 14 years ago by
I think it should be fixed because it is a bug. Dojo doesn't follow the W3C recommendations for its own templates. And I have the solution so why hesitate to apply it? It's not a problem for me anymore, but maybe for the someone else. It's not the kind of bug that beeps loudly either... Parts of id:s mysteriouly dissappearing, a case for Sherlock Holmes.
If you think it's better to prohibit double quotes, I think it at least should be documented somewhere. Just my two cents.
Best regards,
comment:4 Changed 13 years ago by
| Milestone: | 0.3release → 0.4 |
|---|
comment:5 Changed 13 years ago by
| Owner: | changed from anonymous to dylan |
|---|---|
| Status: | new → assigned |
comment:6 Changed 13 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
We need this for svg widgets, where you can't just use a " character.
I'm not sure why you think we should fix this. This is a browser attribute escaping issue and I think it's just easier to tell you not to use " and instead us a "'" char.
Regards