[ http://issues.apache.org/jira/browse/BEEHIVE-299?page=history ]
Daryl Olander resolved BEEHIVE-299:
-----------------------------------
Assign To: Alejandro Ramirez (was: Daryl Olander)
Resolution: Won't Fix
This is the problem. We have no way to know what form of quotes you used in
the JSP. This means you can do either of these <... attr="alert('this')"> or
<... attr='alert("this")'> in the JSP and all the tag gets is one version of
the string or the other.
We've decide that it's too expensive to escape the string for HTML/JavaScript
so we've decide that the tags will write out the single quoted form of the
attribute and allow authors to use the more common form of double quote in
their inclosed script. Really the best we can do, without doing an expensive
pass through each JavaScript event and escaping the quotes.
> netui:anchor Event Attribute syntax can cause java script error
> ---------------------------------------------------------------
>
> Key: BEEHIVE-299
> URL: http://issues.apache.org/jira/browse/BEEHIVE-299
> Project: Beehive
> Type: Bug
> Components: NetUI
> Versions: V1
> Reporter: Krista Baker
> Assignee: Alejandro Ramirez
> Priority: Minor
>
> Repro:
> Using the following jsp note the tag error on the first <netui:anchor> in the
> Browser window.
> <%@ page language="java" contentType="text/html;charset=UTF-8"%>
> <%@ taglib prefix="netui"
> uri="http://beehive.apache.org/netui/tags-html-1.0"%>
> <%@ taglib prefix="netui-data"
> uri="http://beehive.apache.org/netui/tags-databinding-1.0"%>
> <%@ taglib prefix="netui-template"
> uri="http://beehive.apache.org/netui/tags-template-1.0"%>
> <netui:html>
> <head>
> <netui:base/>
> </head>
> <netui:body>
> Causes Script error <br />
> <netui:anchor onMouseDown="alert('OnMOUSEDOWN')"
> href="index.jsp">Script Error For onmousedown when formatted this
> way.</netui:anchor>
> <br />
> The following generate valid javascript:
> <br />
> <netui:anchor onMouseDown='alert("onmousedown")' href="index.jsp>No
> script error when double quotes switched with single quotes</netui:anchor>
> <a href="index.jsp" onmousedown="alert('onmousedown')">No script
> error when html anchor tag is used with the same formatting as netui:anchor
> which returns a script error</a>
> <a href="index.jsp" onmousedown='alert("onmousedown")'>No script
> error</a>
> </netui:body>
> </netui:html>
> Config:
> Mozilla 1.4 and Firefox 1.0 only display the script error when the anchor is
> clicked and the javascript executed. Internet Explorer recognizes the error
> when the page is opened.
> Workaround - Use one of the other three possible tag configs to perform event
> attributes on the anchor tag.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
