Author: hlship
Date: Wed Oct 19 16:55:35 2011
New Revision: 1186329
URL: http://svn.apache.org/viewvc?rev=1186329&view=rev
Log:
TAP5-1442: XSS vulnerability in calendar component
Modified:
tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
Modified:
tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js?rev=1186329&r1=1186328&r2=1186329&view=diff
==============================================================================
---
tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
(original)
+++
tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
Wed Oct 19 16:55:35 2011
@@ -12,185 +12,185 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-Tapestry.DateField = Class.create( {
+Tapestry.DateField = Class.create({
- // Initializes a DateField from a JSON specification.
+ // Initializes a DateField from a JSON specification.
- initialize : function(spec) {
- this.field = $(spec.field);
- this.trigger = $(spec.field + "-trigger");
- this.parseURL = spec.parseURL;
- this.formatURL = spec.formatURL;
+ initialize : function(spec) {
+ this.field = $(spec.field);
+ this.trigger = $(spec.field + "-trigger");
+ this.parseURL = spec.parseURL;
+ this.formatURL = spec.formatURL;
- this.trigger.observe("click", this.triggerClicked.bind(this));
+ this.trigger.observe("click", this.triggerClicked.bind(this));
- this.popup = null;
- },
+ this.popup = null;
+ },
- triggerClicked : function() {
- if (this.field.disabled)
- return;
+ triggerClicked : function() {
+ if (this.field.disabled)
+ return;
- if (this.popup == null) {
- this.createPopup();
+ if (this.popup == null) {
+ this.createPopup();
- } else {
- if (this.popup.visible()) {
- this.hidePopup();
- return;
- }
- }
+ } else {
+ if (this.popup.visible()) {
+ this.hidePopup();
+ return;
+ }
+ }
- var value = $F(this.field).escapeHTML();
+ var value = $F(this.field).escapeHTML();
- if (value == "") {
- this.datePicker.setDate(null);
+ if (value == "") {
+ this.datePicker.setDate(null);
- this.positionPopup();
+ this.positionPopup();
- this.revealPopup();
+ this.revealPopup();
- return;
- }
+ return;
+ }
- var resultHandler = function(result) {
- var date = new Date();
+ var resultHandler = function(result) {
+ var date = new Date();
- date.setTime(result);
+ date.setTime(result);
- this.datePicker.setDate(date);
+ this.datePicker.setDate(date);
- this.positionPopup();
+ this.positionPopup();
- this.revealPopup();
- };
+ this.revealPopup();
+ };
- var errorHandler = function(message) {
- this.field.showValidationMessage(message);
- this.field.activate();
- };
+ var errorHandler = function(message) {
+ this.field.showValidationMessage(message.escapeHTML());
+ this.field.activate();
+ };
- this.sendServerRequest(this.parseURL, value, resultHandler,
- errorHandler);
- },
+ this.sendServerRequest(this.parseURL, value, resultHandler,
+ errorHandler);
+ },
- sendServerRequest : function(url, input, resultHandler, errorHandler) {
- var successHandler = function(response) {
- var json = response.responseJSON;
+ sendServerRequest : function(url, input, resultHandler, errorHandler) {
+ var successHandler = function(response) {
+ var json = response.responseJSON;
- var result = json.result;
+ var result = json.result;
- if (result) {
- resultHandler.call(this, result);
- return;
- }
+ if (result) {
+ resultHandler.call(this, result);
+ return;
+ }
- errorHandler.call(this, json.error);
- }.bind(this);
+ errorHandler.call(this, json.error);
+ }.bind(this);
- Tapestry.ajaxRequest(url, {
- method : 'get',
- parameters : {
- input : input
- },
- onSuccess : successHandler
- });
- },
+ Tapestry.ajaxRequest(url, {
+ method : 'get',
+ parameters : {
+ input : input
+ },
+ onSuccess : successHandler
+ });
+ },
- createPopup : function() {
- this.datePicker = new DatePicker();
+ createPopup : function() {
+ this.datePicker = new DatePicker();
- this.datePicker.setFirstWeekDay(this.firstDay);
+ this.datePicker.setFirstWeekDay(this.firstDay);
- this.popup = $(this.datePicker.create());
+ this.popup = $(this.datePicker.create());
- this.field.insert( {
- after : this.popup
- });
+ this.field.insert({
+ after : this.popup
+ });
- this.popup.absolutize().hide();
+ this.popup.absolutize().hide();
- this.datePicker.onselect = function() {
- var date = this.datePicker.getDate();
+ this.datePicker.onselect = function() {
+ var date = this.datePicker.getDate();
- var resultHandler = function(result) {
- this.field.value = result;
+ var resultHandler = function(result) {
+ this.field.value = result;
- this.hidePopup();
+ this.hidePopup();
- new Effect.Highlight(this.field);
- };
+ new Effect.Highlight(this.field);
+ };
- var errorHandler = function(message) {
- this.field.showValidationMessage(message);
- this.field.activate();
+ var errorHandler = function(message) {
+ this.field.showValidationMessage(message.escapeHTML());
+ this.field.activate();
- this.hidePopup();
- };
+ this.hidePopup();
+ };
- // If the field is blank, don't bother going to the
server to parse!
+ // If the field is blank, don't bother going to the server to
parse!
- if (date == null) {
- resultHandler.call(this, "");
- return;
- }
+ if (date == null) {
+ resultHandler.call(this, "");
+ return;
+ }
- this.sendServerRequest(this.formatURL, date.getTime(),
- resultHandler, errorHandler);
- }.bind(this);
- },
+ this.sendServerRequest(this.formatURL, date.getTime(),
+ resultHandler, errorHandler);
+ }.bind(this);
+ },
- positionPopup : function() {
- // The field may be a hidden field, in which csae, position the
popup
- // based on the trigger, not
- // the hidden.
+ positionPopup : function() {
+ // The field may be a hidden field, in which csae, position the popup
+ // based on the trigger, not
+ // the hidden.
- var reference = this.field.type == "text" ? this.field :
this.trigger;
+ var reference = this.field.type == "text" ? this.field : this.trigger;
- this.popup.clonePosition(reference, {
- offsetTop : reference.getHeight() + 2
- }).setStyle( {
- width : "",
- height : ""
- });
- },
+ this.popup.clonePosition(reference, {
+ offsetTop : reference.getHeight() + 2
+ }).setStyle({
+ width : "",
+ height : ""
+ });
+ },
- /** Duration, in seconds, used when fading the popup in or out. */
+ /** Duration, in seconds, used when fading the popup in or out. */
- FADE_DURATION : .20,
+ FADE_DURATION : .20,
- hidePopup : function() {
- new Effect.Fade(this.popup, {
- duration : this.FADE_DURATION
- });
- },
+ hidePopup : function() {
+ new Effect.Fade(this.popup, {
+ duration : this.FADE_DURATION
+ });
+ },
- revealPopup : function() {
+ revealPopup : function() {
- // Only show one DateField popup at a time.
+ // Only show one DateField popup at a time.
- if (Tapestry.DateField.activeDateField != undefined
- && Tapestry.DateField.activeDateField != this) {
- Tapestry.DateField.activeDateField.hidePopup();
- }
+ if (Tapestry.DateField.activeDateField != undefined
+ && Tapestry.DateField.activeDateField != this) {
+ Tapestry.DateField.activeDateField.hidePopup();
+ }
- new Effect.Appear(this.popup, {
- duration : this.FADE_DURATION
- });
+ new Effect.Appear(this.popup, {
+ duration : this.FADE_DURATION
+ });
- Tapestry.DateField.activeDateField = this;
-}
+ Tapestry.DateField.activeDateField = this;
+ }
});
Tapestry.DateField.localized = false;
Tapestry.DateField.initLocalization = function(localization) {
- DatePicker.months = localization.months;
- DatePicker.days = localization.days.toArray();
+ DatePicker.months = localization.months;
+ DatePicker.days = localization.days.toArray();
- Tapestry.DateField.prototype.firstDay = localization.firstDay;
+ Tapestry.DateField.prototype.firstDay = localization.firstDay;
};
Tapestry.Initializer.dateField = function(spec) {
- new Tapestry.DateField(spec);
-}
\ No newline at end of file
+ new Tapestry.DateField(spec);
+}
