Re: Default WOString Behaviour
Re: Default WOString Behaviour
- Subject: Re: Default WOString Behaviour
- From: Ramsey Gurley <email@hidden>
- Date: Wed, 07 Nov 2012 08:41:34 -0700
Hi Daniele,
does not render as a non breaking space when serving a page as application/xhtml+xml mime type. Only the core named xml entities (> < " etc…) render correctly. You should use the numbered entity   for compatibility. I know Wonder uses a lot of named HTML entities, but if you ever work with real xhtml you will curse them.
I would not advise making escapeHTML=true by default. I suspect you will open yourself up to lots of XSS attacks that way as the default has always been false. Those of us designing components have not explicitly stated false in a binding in most places.
Furthermore, if you are using WOString to inject lots of HTML, you're doing it wrong. HTML belongs in the WODynamicElements and WOComponents. I make the singular exception for localized strings because creating localized components is typically overkill and creates lots of tedious redundancy.
In the localized string case (GSVExceptionViewer sounds like one) you should escapeHTML=false, so the component should be patched. You simply must remember that you cannot redisplay a value directly back to the user without potentially opening yourself up to a cross site scripting attack. You should escape the value string before redisplaying it.
Ramsey
On Nov 7, 2012, at 6:42 AM, Daniele Corti wrote:
> Hi list,
> maybe stupid question, but, is there a way to define the default behaviour of WOString?
>
> I mean WOString binding have as default:
>
> escapeHTML = true;
> valueWhenEmpty = "";
>
> In most parts of my WebApps I define escapeHTML = "$false" and valueWhenEmpty = " ", not just in Tables, to get correct HTML from WOString.
>
> The problems occurs when I use components from third parts, where I cannot change the behaviour of subcomponents.
>
> For Example, I use the Validity.framework's GSVExceptionViewer component, to display errors.
>
> I've notice errors coming from EOEnterpriseObject.checkConsistency() method have some HTML inside the text (e.g in class User, if email field is empty, return "Please provide a <b>Email</b>."), so when I display the error the HTML is escaped and rendered in the page, that is not very beautiful.
> To avoid this, I have changed the Component .wod file, in order to use escapeHTML = false; on WOStrings binds, but it would be nice to do this globally.
>
> So, the question: is there a way to change default behavior of WOString, without subclassing it? For example a key in Properties file?
>
> Thanks in advance!
>
> --
> Daniele Corti
> --
> I DON'T DoubleClick
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden