[TurboGears] Re: jsonify javascript references

2006-11-02 Thread Bob Ippolito 

On 11/2/06, Diez B. Roggisch [EMAIL PROTECTED] wrote:

 Hi,

 I'm trying to build a nice widget-wrapper around the YUI-component lib.
 Things are nice and smooth except for one thing: the components can get
 effects as arguments, basically a constructor and some arguments.

 Now this is what the generated JS looks like:

 resizepanelwin = new YAHOO.widget.Panel(resizepanelwin,
 {visible: false,
   effect: {duration: 0.25, effect:
 YAHOO.widget.ContainerEffect.FADE},
 constraintoviewport: true,
 draggable: true, width: 23em,
 modal: false, close: true,
 underlay: none, fixedcenter: true} );


 as you can see, the effect.effect is a string. Yet it should be rendered
 without quotes, so that the eval will evaluate it to the
 constructor/callable.

 Any suggestion on how to make that happen?

You don't, that's not JSON. You need to process it in JavaScript to
get the objects you want.

result.effect.effect = eval(result.effect.effect);

-bob

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
TurboGears group.
To post to this group, send email to turbogears@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/turbogears
-~--~~~~--~~--~--~---

[TurboGears] Re: jsonify javascript references

2006-11-02 Thread Diez B. Roggisch 

Bob Ippolito schrieb:
 On 11/2/06, Diez B. Roggisch [EMAIL PROTECTED] wrote:
 Hi,

 I'm trying to build a nice widget-wrapper around the YUI-component lib.
 Things are nice and smooth except for one thing: the components can get
 effects as arguments, basically a constructor and some arguments.

 Now this is what the generated JS looks like:

 resizepanelwin = new YAHOO.widget.Panel(resizepanelwin,
 {visible: false,
   effect: {duration: 0.25, effect:
 YAHOO.widget.ContainerEffect.FADE},
 constraintoviewport: true,
 draggable: true, width: 23em,
 modal: false, close: true,
 underlay: none, fixedcenter: true} );


 as you can see, the effect.effect is a string. Yet it should be rendered
 without quotes, so that the eval will evaluate it to the
 constructor/callable.

 Any suggestion on how to make that happen?
 
 You don't, that's not JSON. You need to process it in JavaScript to
 get the objects you want.
 
 result.effect.effect = eval(result.effect.effect);

Okay. I can use that. However, because I didn't think of that 
possibility, I dug into the simplejson code and introduced a 
JSLiteral-class that can wrap a string to simply pass it through without 
encoding.

I do like that better than your proposed solution for a simple reason: 
it's simpler :)

Now - your comment implies that JSON is specfied in a certain way, which 
doesn't allow for this. Ok. But I think that I have a real usecase here. 
Especially when there are situations where one can't control the 
javascript that will use the JSON-output (which I'm capable of, in this 
case, but other cases one can't), it might save one from larger troubles.

Are you adamant about not putting it into simplejson?

Diez

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
TurboGears group.
To post to this group, send email to turbogears@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/turbogears
-~--~~~~--~~--~--~---

[TurboGears] Re: jsonify javascript references

2006-11-02 Thread Bob Ippolito 

On 11/2/06, Diez B. Roggisch [EMAIL PROTECTED] wrote:

 Bob Ippolito schrieb:
  On 11/2/06, Diez B. Roggisch [EMAIL PROTECTED] wrote:
  Hi,
 
  I'm trying to build a nice widget-wrapper around the YUI-component lib.
  Things are nice and smooth except for one thing: the components can get
  effects as arguments, basically a constructor and some arguments.
 
  Now this is what the generated JS looks like:
 
  resizepanelwin = new YAHOO.widget.Panel(resizepanelwin,
  {visible: false,
effect: {duration: 0.25, effect:
  YAHOO.widget.ContainerEffect.FADE},
  constraintoviewport: true,
  draggable: true, width: 23em,
  modal: false, close: true,
  underlay: none, fixedcenter: true} );
 
 
  as you can see, the effect.effect is a string. Yet it should be rendered
  without quotes, so that the eval will evaluate it to the
  constructor/callable.
 
  Any suggestion on how to make that happen?
 
  You don't, that's not JSON. You need to process it in JavaScript to
  get the objects you want.
 
  result.effect.effect = eval(result.effect.effect);

 Okay. I can use that. However, because I didn't think of that
 possibility, I dug into the simplejson code and introduced a
 JSLiteral-class that can wrap a string to simply pass it through without
 encoding.

 I do like that better than your proposed solution for a simple reason:
 it's simpler :)

 Now - your comment implies that JSON is specfied in a certain way, which
 doesn't allow for this. Ok. But I think that I have a real usecase here.
 Especially when there are situations where one can't control the
 javascript that will use the JSON-output (which I'm capable of, in this
 case, but other cases one can't), it might save one from larger troubles.

That's simply ridiculous. If the script expects JSON, then it isn't
going to require things that are impossible with JSON!

 Are you adamant about not putting it into simplejson?

There is absolutely no way I will add features to simplejson that
encourage people to produce documents that are not valid JSON.

-bob

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
TurboGears group.
To post to this group, send email to turbogears@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/turbogears
-~--~~~~--~~--~--~---

[TurboGears] Re: jsonify javascript references

2006-11-02 Thread Diez B. Roggisch 

 Now - your comment implies that JSON is specfied in a certain way, which
 doesn't allow for this. Ok. But I think that I have a real usecase here.
 Especially when there are situations where one can't control the
 javascript that will use the JSON-output (which I'm capable of, in this
 case, but other cases one can't), it might save one from larger troubles.
 
 That's simply ridiculous. If the script expects JSON, then it isn't
 going to require things that are impossible with JSON!
 
 Are you adamant about not putting it into simplejson?
 
 There is absolutely no way I will add features to simplejson that
 encourage people to produce documents that are not valid JSON.

Ok - you showed me a to work around that, so I'm happy.

But I don't agree with you that it is a ridiculous request. I can very 
well imagine cases in which allowing an expression to be evaluated that 
goes beyond simple literals can save one tremendous trouble. In fact, 
I've seen such code. It bypassed some deep dojo magic to force a logout 
in case of a session timeout.

The alternative would have been to create a polling watchdog on the 
client-side that would have done that. Both solutions aren't beautiful, 
but the server-side scripting attack is the more robust IMHO.

Thanks for the help with my original troubles!

Diez

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
TurboGears group.
To post to this group, send email to turbogears@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/turbogears
-~--~~~~--~~--~--~---