#478 closed defect (fixed)
Buggy string injection in buildFromTemplate in domWidget
Reported by: | Owned by: | dylan | |
---|---|---|---|
Priority: | high | Milestone: | |
Component: | Widgets | Version: | 0.2 |
Keywords: | Cc: | ||
Blocked By: | Blocking: |
Description
Say you have a template like this: <div id="${this.widgetId}" class="dojoFloatingPane" dojoAttachEvent="onMouseDown">
This ususally works fine, but not for all exotic values of this.widgetId. I for example have found it nice to put some inline json representation as widgetId:s, I'd typic do like this: <div dojoType="EditorTreeNode?" widgetId="{"folder":15}" title="Notes">
The " will be translated to " so the widgetId becomes correct json, but will then be substituted back as it is into the template. The problem is that the substituted template will look like this: <div id="{"folder":15}" ... ,
which is wrong by both common sense and standards.
In the end I got only "{" as widget-Id:s.
The resolution is below, Thanks,
Henrik Hjelte
Insert these lines at line 452 in domWidget.js
// Safer substitution, see heading "Attribute values" in // http://www.w3.org/TR/REC-html40/appendix/notes.html#h-B.3.2 while (value.indexOf(""") > -1) value=value.replace(""",""");
In a larger context it now looks like this:
// FIXME: this is a lot of string munging. Can we make it faster? for(var i = 0; i < matches.length; i++) { var key = matches[i]; key = key.substring(2, key.length-1); var kval = (key.substring(0, 5) == "this.") ? this[key.substring(5)] : hash[key]; var value; if((kval)||(dojo.lang.isString(kval))){ value = (dojo.lang.isFunction(kval)) ? kval.call(this, key, this.templateString) : kval; // Safer substitution, see heading "Attribute values" in // http://www.w3.org/TR/REC-html40/appendix/notes.html#h-B.3.2 while (value.indexOf(""") > -1) value=value.replace(""","""); tstr = tstr.replace(matches[i], value); } }
Change History (8)
comment:1 Changed 15 years ago by
Milestone: | → 0.3release |
---|
comment:2 Changed 15 years ago by
comment:3 Changed 15 years ago by
I think it should be fixed because it is a bug. Dojo doesn't follow the W3C recommendations for its own templates. And I have the solution so why hesitate to apply it? It's not a problem for me anymore, but maybe for the someone else. It's not the kind of bug that beeps loudly either... Parts of id:s mysteriouly dissappearing, a case for Sherlock Holmes.
If you think it's better to prohibit double quotes, I think it at least should be documented somewhere. Just my two cents.
Best regards,
comment:4 Changed 15 years ago by
Milestone: | 0.3release → 0.4 |
---|
comment:5 Changed 15 years ago by
Owner: | changed from anonymous to dylan |
---|---|
Status: | new → assigned |
comment:6 Changed 15 years ago by
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
We need this for svg widgets, where you can't just use a " character.
I'm not sure why you think we should fix this. This is a browser attribute escaping issue and I think it's just easier to tell you not to use " and instead us a "'" char.
Regards