• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Default WOString Behaviour
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Default WOString Behaviour


  • Subject: Re: Default WOString Behaviour
  • From: Ramsey Gurley <email@hidden>
  • Date: Wed, 07 Nov 2012 08:41:34 -0700

Hi Daniele,

&nbsp; does not render as a non breaking space when serving a page as application/xhtml+xml mime type. Only the core named xml entities (&gt; &lt; &quot; etc…) render correctly. You should use the numbered entity &#160; for compatibility. I know Wonder uses a lot of named HTML entities, but if you ever work with real xhtml you will curse them.

I would not advise making escapeHTML=true by default. I suspect you will open yourself up to lots of XSS attacks that way as the default has always been false. Those of us designing components have not explicitly stated false in a binding in most places.

Furthermore, if you are using WOString to inject lots of HTML, you're doing it wrong. HTML belongs in the WODynamicElements and WOComponents. I make the singular exception for localized strings because creating localized components is typically overkill and creates lots of tedious redundancy.

In the localized string case (GSVExceptionViewer sounds like one) you should escapeHTML=false, so the component should be patched. You simply must remember that you cannot redisplay a value directly back to the user without potentially opening yourself up to a cross site scripting attack. You should escape the value string before redisplaying it.

Ramsey

On Nov 7, 2012, at 6:42 AM, Daniele Corti wrote:

> Hi list,
> maybe stupid question, but, is there a way to define the default behaviour of WOString?
>
> I mean WOString binding have as default:
>
> escapeHTML = true;
> valueWhenEmpty = "";
>
> In most parts of my WebApps I define escapeHTML = "$false" and valueWhenEmpty = "&nbsp;", not just in Tables, to get correct HTML from WOString.
>
> The problems occurs when I use components from third parts, where I cannot change the behaviour of subcomponents.
>
> For Example, I use the Validity.framework's GSVExceptionViewer component, to display errors.
>
> I've notice errors coming from EOEnterpriseObject.checkConsistency() method have some HTML inside the text (e.g in class User, if email field is empty, return "Please provide a <b>Email</b>."), so when I display the error the HTML is escaped and rendered in the page, that is not very beautiful.
> To avoid this, I have changed the Component .wod file, in order to use escapeHTML = false; on WOStrings binds, but it would be nice to do this globally.
>
> So, the question: is there a way to change default behavior of WOString, without subclassing it? For example a key in Properties file?
>
> Thanks in advance!
>
> --
> Daniele Corti
> --
> I DON'T DoubleClick
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list      (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden


  • Follow-Ups:
    • Re: Default WOString Behaviour
      • From: Ramsey Gurley <email@hidden>
References: 
 >Default WOString Behaviour (From: Daniele Corti <email@hidden>)

  • Prev by Date: Re: Default WOString Behaviour
  • Next by Date: Re: Sanity check: "Redirection URL" in "Load Balancing and Adaptor Settings"
  • Previous by thread: Re: Default WOString Behaviour
  • Next by thread: Re: Default WOString Behaviour
  • Index(es):
    • Date
    • Thread