As quoted from Gertjan van Oosten <[EMAIL PROTECTED]>: > As quoted from Andreas Hocevar <[EMAIL PROTECTED]>: > > serializedDoc.unescape is the wrong way to do it. The correct way is > > serializedDoc.replace(/</g,"<").replace(/>/g,">").replace(/&/g,"&"); > > > > This is also used in lib/widget/TipWidgetOL. > > But you need to do that only if for some reason you need to unescape > stuff, which should normally be unnecessary.
In fact, it could even be harmful; what if some aspect of your feature, say the name, contains specially crafted HTML tags? Your application might break. You should never unescape input that's user-provided. Too bad the nightly examples are currently down, otherwise I would show it in the wfs-t demo. > > Note that just returning > > the serializedDoc also will not produce the expected result. > > Why not? It is correct XML, and should be output as such. Let me stress this, because I think it's important: the current paint() method in WidgetBaseXSL calls transformNodeToString(), which means all widgets potentially suffer from this bug. There should be no need to unescape the serializedDoc, since the XML it contains is already valid. If it for some reason contains escaped characters that you need to unescape (although I still don't see a clear case for this), do it where you need them unescaped, not in the basic widget transform. regards, -- -- Gertjan van Oosten, [EMAIL PROTECTED], West Consulting B.V., +31 15 2191 600 ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ mapbuilder-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/mapbuilder-devel
