Ross,
Thanks - yes, the NodeSeq is all generated from templates internally.
The end user does not have any access to change this stuff so this
particular security issue shouldn't be a problem in this case.
Stuart.
On Mar 9, 5:30 pm, Ross Mellgren <dri...@gmail.com> wrote:
> Ah yes, the reason I went through the fixHtml route is because Stuart
> specifically mentioned he wanted to process those.
>
> Stuart, you should make sure to properly secure this stuff -- either as an
> admin-only thing (understanding that that person has as much rights as you)
> or by scrubbing the XML thoroughly.
>
> -Ross
>
> On Mar 9, 2010, at 12:26 PM, David Pollak wrote:
>
>
>
>
>
> > On Tue, Mar 9, 2010 at 9:14 AM, Ross Mellgren <dri...@gmail.com> wrote:
> > Try this (I haven't tested it, so there could be lurking bugs):
>
> > case class JQueryNodeSeq(ns: NodeSeq) extends JsExp with JQueryLeft with
> > HtmlFixer {
> > override def toJsCmd = "jQuery(" + JsStr(fixHtml("NodeSeqDialog",
> > ns)).toJsCmd + ")"
> > }
>
> > Ross,
>
> > This is good code, but introduces a potential security vulnerability. ;-)
>
> > fixHtml runs the NodeSeq through Lift's snippet handler. If you have
> > web-user input, a user could type in <lift:xxxx/> and cause server-side
> > code to be executed.
>
> > import net.liftweb.util._
> > import Helpers._
>
> > Personally, I'd suggest "jQuery(" + AltXML.toXML(nodeSeq, false,
> > true).encJs + ")"
>
> > Thanks,
>
> > David
>
> > Then JQueryNodeSeq(ns) ~> JsFunc("dialog")
>
> > -Ross
>
> > On Mar 9, 2010, at 12:06 PM, Stuart Roebuck wrote:
>
> > > I'm trying to produce a web page with editable content.
>
> > > When the user clicks an edit button on a line it uses jQuery to
> > > display a modal dialog which allows fields of that line to be edited.
>
> > > I can easily produce a snippet to produce the lines using the backend
> > > data and an XHTML template and binding etc.
>
> > > However, I also want the template to include the template for the
> > > dialog. So I want the ajax button callback to send JavaScript to
> > > instantiate the jQuery UI dialog based on the template and bindings.
>
> > > To build this I need to assemble a JsCmd containing the NodeSeq that
> > > comes from the XHTML sequence and the bindings.
>
> > > In short, if this was straight jQuery I would have some JavaScript of
> > > the form:
>
> > > $(<div title="Dialog Title">theFormNodeSeq</div>).dialog()
>
> > > But in my case theFormNodeSeq comes from a NodeSeq that was assembled
> > > from part of the XHTML template and the bindings and the end result
> > > needs to be a JsCmd.
>
> > > So I'm trying to do something like:
>
> > > JsCmds.Run("$(" + theFormNodeSeq.toString + ").dialog()")
>
> > > But I need to address escaping issues with the HTML and I also need to
> > > pre-process any "<lift:… />" commands in theFormNodeSeq.
>
> > > Any advice (please)?
>
> > > --
> > > You received this message because you are subscribed to the Google Groups
> > > "Lift" group.
> > > To post to this group, send email to lift...@googlegroups.com.
> > > To unsubscribe from this group, send email to
> > > liftweb+unsubscr...@googlegroups.com.
> > > For more options, visit this group
> > > athttp://groups.google.com/group/liftweb?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Lift" group.
> > To post to this group, send email to lift...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > liftweb+unsubscr...@googlegroups.com.
> > For more options, visit this group
> > athttp://groups.google.com/group/liftweb?hl=en.
>
> > --
> > Lift, the simply functional web frameworkhttp://liftweb.net
> > Beginning Scalahttp://www.apress.com/book/view/1430219890
> > Follow me:http://twitter.com/dpp
> > Surf the harmonics
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Lift" group.
> > To post to this group, send email to lift...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > liftweb+unsubscr...@googlegroups.com.
> > For more options, visit this group
> > athttp://groups.google.com/group/liftweb?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Lift" group.
To post to this group, send email to lift...@googlegroups.com.
To unsubscribe from this group, send email to
liftweb+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/liftweb?hl=en.
