As quoted from Andreas Hocevar <[EMAIL PROTECTED]>: > On 8/7/07, Gertjan van Oosten <[EMAIL PROTECTED]> wrote: > > In fact, it could even be harmful; what if some aspect of your feature, > > say the name, contains specially crafted HTML tags? Your application > > might break. You should never unescape input that's user-provided. > > Too bad the nightly examples are currently down, otherwise I would show > > it in the wfs-t demo. > > What exactly do you want to show?
That with the current codebase it breaks if I fill in HTML code in a feature field. And after that, you can't repair it anymore with the wfs-t demo. > > > > Note that just returning > > > > the serializedDoc also will not produce the expected result. > > > > > > Why not? It is correct XML, and should be output as such. > > Sure, but GeoRSS feeds often encode escaped HTML into XML tags. The place for decoding that is in the part that displays that specific piece of information, then. You have to be very careful in doing that, however, allowing unknown sources to specify part of the HTML of your page is a potentially dangerous thing to do. > > Let me stress this, because I think it's important: the current paint() > > method in WidgetBaseXSL calls transformNodeToString(), which means all > > widgets potentially suffer from this bug. There should be no need to > > unescape the serializedDoc, since the XML it contains is already valid. > > If it for some reason contains escaped characters that you need to > > unescape (although I still don't see a clear case for this), do it where > > you need them unescaped, not in the basic widget transform. > > This is why I only did it in TipWidgetOL, and not in WidgetBaseXSL.js. Then I propose we remove the current behaviour from Utils.js. If anyone finds a case in some widget that has a problem with that, we should fix it in the right place (i.e. somewhere in that widget). Regards, -- -- Gertjan van Oosten, [EMAIL PROTECTED], West Consulting B.V., +31 15 2191 600 ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ mapbuilder-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/mapbuilder-devel
