[TurboGears] Re: jsonify javascript references
On 11/2/06, Diez B. Roggisch [EMAIL PROTECTED] wrote: Hi, I'm trying to build a nice widget-wrapper around the YUI-component lib. Things are nice and smooth except for one thing: the components can get effects as arguments, basically a constructor and some arguments. Now this is what the generated JS looks like: resizepanelwin = new YAHOO.widget.Panel(resizepanelwin, {visible: false, effect: {duration: 0.25, effect: YAHOO.widget.ContainerEffect.FADE}, constraintoviewport: true, draggable: true, width: 23em, modal: false, close: true, underlay: none, fixedcenter: true} ); as you can see, the effect.effect is a string. Yet it should be rendered without quotes, so that the eval will evaluate it to the constructor/callable. Any suggestion on how to make that happen? You don't, that's not JSON. You need to process it in JavaScript to get the objects you want. result.effect.effect = eval(result.effect.effect); -bob --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups TurboGears group. To post to this group, send email to turbogears@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears -~--~~~~--~~--~--~---
[TurboGears] Re: jsonify javascript references
Bob Ippolito schrieb: On 11/2/06, Diez B. Roggisch [EMAIL PROTECTED] wrote: Hi, I'm trying to build a nice widget-wrapper around the YUI-component lib. Things are nice and smooth except for one thing: the components can get effects as arguments, basically a constructor and some arguments. Now this is what the generated JS looks like: resizepanelwin = new YAHOO.widget.Panel(resizepanelwin, {visible: false, effect: {duration: 0.25, effect: YAHOO.widget.ContainerEffect.FADE}, constraintoviewport: true, draggable: true, width: 23em, modal: false, close: true, underlay: none, fixedcenter: true} ); as you can see, the effect.effect is a string. Yet it should be rendered without quotes, so that the eval will evaluate it to the constructor/callable. Any suggestion on how to make that happen? You don't, that's not JSON. You need to process it in JavaScript to get the objects you want. result.effect.effect = eval(result.effect.effect); Okay. I can use that. However, because I didn't think of that possibility, I dug into the simplejson code and introduced a JSLiteral-class that can wrap a string to simply pass it through without encoding. I do like that better than your proposed solution for a simple reason: it's simpler :) Now - your comment implies that JSON is specfied in a certain way, which doesn't allow for this. Ok. But I think that I have a real usecase here. Especially when there are situations where one can't control the javascript that will use the JSON-output (which I'm capable of, in this case, but other cases one can't), it might save one from larger troubles. Are you adamant about not putting it into simplejson? Diez --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups TurboGears group. To post to this group, send email to turbogears@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears -~--~~~~--~~--~--~---
[TurboGears] Re: jsonify javascript references
On 11/2/06, Diez B. Roggisch [EMAIL PROTECTED] wrote: Bob Ippolito schrieb: On 11/2/06, Diez B. Roggisch [EMAIL PROTECTED] wrote: Hi, I'm trying to build a nice widget-wrapper around the YUI-component lib. Things are nice and smooth except for one thing: the components can get effects as arguments, basically a constructor and some arguments. Now this is what the generated JS looks like: resizepanelwin = new YAHOO.widget.Panel(resizepanelwin, {visible: false, effect: {duration: 0.25, effect: YAHOO.widget.ContainerEffect.FADE}, constraintoviewport: true, draggable: true, width: 23em, modal: false, close: true, underlay: none, fixedcenter: true} ); as you can see, the effect.effect is a string. Yet it should be rendered without quotes, so that the eval will evaluate it to the constructor/callable. Any suggestion on how to make that happen? You don't, that's not JSON. You need to process it in JavaScript to get the objects you want. result.effect.effect = eval(result.effect.effect); Okay. I can use that. However, because I didn't think of that possibility, I dug into the simplejson code and introduced a JSLiteral-class that can wrap a string to simply pass it through without encoding. I do like that better than your proposed solution for a simple reason: it's simpler :) Now - your comment implies that JSON is specfied in a certain way, which doesn't allow for this. Ok. But I think that I have a real usecase here. Especially when there are situations where one can't control the javascript that will use the JSON-output (which I'm capable of, in this case, but other cases one can't), it might save one from larger troubles. That's simply ridiculous. If the script expects JSON, then it isn't going to require things that are impossible with JSON! Are you adamant about not putting it into simplejson? There is absolutely no way I will add features to simplejson that encourage people to produce documents that are not valid JSON. -bob --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups TurboGears group. To post to this group, send email to turbogears@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears -~--~~~~--~~--~--~---
[TurboGears] Re: jsonify javascript references
Now - your comment implies that JSON is specfied in a certain way, which doesn't allow for this. Ok. But I think that I have a real usecase here. Especially when there are situations where one can't control the javascript that will use the JSON-output (which I'm capable of, in this case, but other cases one can't), it might save one from larger troubles. That's simply ridiculous. If the script expects JSON, then it isn't going to require things that are impossible with JSON! Are you adamant about not putting it into simplejson? There is absolutely no way I will add features to simplejson that encourage people to produce documents that are not valid JSON. Ok - you showed me a to work around that, so I'm happy. But I don't agree with you that it is a ridiculous request. I can very well imagine cases in which allowing an expression to be evaluated that goes beyond simple literals can save one tremendous trouble. In fact, I've seen such code. It bypassed some deep dojo magic to force a logout in case of a session timeout. The alternative would have been to create a polling watchdog on the client-side that would have done that. Both solutions aren't beautiful, but the server-side scripting attack is the more robust IMHO. Thanks for the help with my original troubles! Diez --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups TurboGears group. To post to this group, send email to turbogears@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears -~--~~~~--~~--~--~---