Updated Branches: refs/heads/5.4-js-rewrite 92fcaa9fa -> 40f3fef11
Change how core/builder module builds nodes to not (implicitly) escape markup Change core/alerts to expressly allow markup in the message or otherwise escape markup Add core/dom:escapeHTML to escape HTML characters in a string Change the DatePicker to dismiss the popup when the field's content is not parsable Project: http://git-wip-us.apache.org/repos/asf/tapestry-5/repo Commit: http://git-wip-us.apache.org/repos/asf/tapestry-5/commit/40f3fef1 Tree: http://git-wip-us.apache.org/repos/asf/tapestry-5/tree/40f3fef1 Diff: http://git-wip-us.apache.org/repos/asf/tapestry-5/diff/40f3fef1 Branch: refs/heads/5.4-js-rewrite Commit: 40f3fef11bf4a4ad29c9e74443131db685a83cb8 Parents: 92fcaa9 Author: Howard M. Lewis Ship <[email protected]> Authored: Tue Dec 11 17:50:39 2012 -0800 Committer: Howard M. Lewis Ship <[email protected]> Committed: Tue Dec 11 17:50:39 2012 -0800 ---------------------------------------------------------------------- .../META-INF/modules/core/alert.coffee | 11 ++++++++--- .../META-INF/modules/core/builder.coffee | 8 ++++++-- .../META-INF/modules/core/console.coffee | 2 +- .../META-INF/modules/core/datefield.coffee | 15 +++++---------- .../coffeescript/META-INF/modules/core/dom.coffee | 3 +++ .../tapestry5/integration/app1/FormTests.java | 4 ++-- 6 files changed, 25 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/40f3fef1/tapestry-core/src/main/coffeescript/META-INF/modules/core/alert.coffee ---------------------------------------------------------------------- diff --git a/tapestry-core/src/main/coffeescript/META-INF/modules/core/alert.coffee b/tapestry-core/src/main/coffeescript/META-INF/modules/core/alert.coffee index ca9d311..bcbcf94 100644 --- a/tapestry-core/src/main/coffeescript/META-INF/modules/core/alert.coffee +++ b/tapestry-core/src/main/coffeescript/META-INF/modules/core/alert.coffee @@ -89,8 +89,11 @@ define ["core/dom", "core/console", "core/messages", "core/builder", "core/ajax" return outer?.findFirst "[data-container-type=inner]" - # The `data` for the alert has a number of keys to control its behavior - + # The `data` for the alert has a number of keys to control its behavior: + # + # * severity - used to determine the CSS class, may be "warn", "error", or "info" (the default) + # * message - message to display to as te alert's body + # * markup - if true, then the message contains markup that should not be HTML escaped alert = (data) -> container = findInnerContainer() @@ -99,12 +102,14 @@ define ["core/dom", "core/console", "core/messages", "core/builder", "core/ajax" className = severityToClass[data.severity] or "alert" + content = if data.markup then data.message else dom.escapeHTML data.message + # Note that `data-dismiss=alert` is purposely excluded # - we want to handle closes w/ notifications to the server if not transient # - we don't want to rely on bootstrap.js, as that will drag jQuery into the application element = builder "div", class: className, ["button.close", "\u00d7"] - data.message + content if data.id element.attribute "data-alert-id", data.id http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/40f3fef1/tapestry-core/src/main/coffeescript/META-INF/modules/core/builder.coffee ---------------------------------------------------------------------- diff --git a/tapestry-core/src/main/coffeescript/META-INF/modules/core/builder.coffee b/tapestry-core/src/main/coffeescript/META-INF/modules/core/builder.coffee index eb3a34b..0cea473 100644 --- a/tapestry-core/src/main/coffeescript/META-INF/modules/core/builder.coffee +++ b/tapestry-core/src/main/coffeescript/META-INF/modules/core/builder.coffee @@ -33,9 +33,13 @@ # The body may consist of: # # * Objects: used to specify attributes and event handlers of the element -# * Strings: literal text +# * Strings: literal markup text # * Array: a nested element definition # +# Literal text is NOT escaped. You should be careful to use `core/dom:escapeHTML` if the body contains +# any potential markup that should be escaped; alternately, it may be easier to use embedded markup in the body +# than to use an element definition. +# # For an Object, each key and value is simply added as an attribute. However, for keys that start with "on", the value # is assumed to be an event handler function. The special key "on" consists of nested event handlers for the events # whose name matches the key. The following are equivalent: @@ -84,7 +88,7 @@ define ["_", "core/dom", "core/utils"], (_, dom, utils) -> unless nested? # Ignore null nodes else if _.isString nested - element.appendChild document.createTextNode nested + element.innerHTML += nested else if _.isArray nested [elementDescription, nestedBody...] = nested nestedElement = buildTree elementDescription, nestedBody http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/40f3fef1/tapestry-core/src/main/coffeescript/META-INF/modules/core/console.coffee ---------------------------------------------------------------------- diff --git a/tapestry-core/src/main/coffeescript/META-INF/modules/core/console.coffee b/tapestry-core/src/main/coffeescript/META-INF/modules/core/console.coffee index 9a03000..0d66ff2 100644 --- a/tapestry-core/src/main/coffeescript/META-INF/modules/core/console.coffee +++ b/tapestry-core/src/main/coffeescript/META-INF/modules/core/console.coffee @@ -40,7 +40,7 @@ define ["core/dom", "core/builder", "_"], (dom, builder, _) -> floatingConsole = builder ".t-console" dom.body().prepend floatingConsole - div = builder ".t-console-entry.#{className}", message + div = builder ".t-console-entry.#{className}", (dom.escapeHTML message) floatingConsole.append div.hide().fadeIn FADE_DURATION http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/40f3fef1/tapestry-core/src/main/coffeescript/META-INF/modules/core/datefield.coffee ---------------------------------------------------------------------- diff --git a/tapestry-core/src/main/coffeescript/META-INF/modules/core/datefield.coffee b/tapestry-core/src/main/coffeescript/META-INF/modules/core/datefield.coffee index c401b70..453a9ca 100644 --- a/tapestry-core/src/main/coffeescript/META-INF/modules/core/datefield.coffee +++ b/tapestry-core/src/main/coffeescript/META-INF/modules/core/datefield.coffee @@ -16,8 +16,8 @@ # # Provides support for the `core/DateField` component. define ["core/dom", "core/events", "core/messages", "core/builder", "core/ajax", - "_", "core/alert", "core/fields"], - (dom, events, messages, builder, ajax, _, alert) -> + "_", "core/fields"], + (dom, events, messages, builder, ajax, _) -> # Translate from the provided order (SUNDAY = 0, MONDAY = 1), to @@ -102,14 +102,9 @@ define ["core/dom", "core/events", "core/messages", "core/builder", "core/ajax", @showPopup() return - @fieldError reply.error - - # Because the popup overlays where the error message appears, we - # show it as an alert, too. - alert { message: reply.error } - - @datePicker.setDate null - @showPopup() + @fieldError (dom.escapeHTML reply.error) + @hidePopup() + return fieldError: (message) -> @field.focus().trigger events.field.showValidationError, { message } http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/40f3fef1/tapestry-core/src/main/coffeescript/META-INF/modules/core/dom.coffee ---------------------------------------------------------------------- diff --git a/tapestry-core/src/main/coffeescript/META-INF/modules/core/dom.coffee b/tapestry-core/src/main/coffeescript/META-INF/modules/core/dom.coffee index 812825c..6a569a3 100644 --- a/tapestry-core/src/main/coffeescript/META-INF/modules/core/dom.coffee +++ b/tapestry-core/src/main/coffeescript/META-INF/modules/core/dom.coffee @@ -500,6 +500,9 @@ define ["_", "core/utils", "prototype"], (_, utils) -> _.extend exports, wrap: wrapElement + # Escape's HTML markup in the string. + escapeHTML: (str) -> str.escapeHTML() + ajaxRequest: ajaxRequest # Used to add an event handler to an element (possibly from elements below it in the hierarch). http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/40f3fef1/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java ---------------------------------------------------------------------- diff --git a/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java b/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java index 86eb651..33fab8a 100644 --- a/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java +++ b/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/FormTests.java @@ -239,9 +239,9 @@ public class FormTests extends TapestryCoreTestCase click("css=.x-impact .btn"); - // This appears to be a legitimate bug introduced in 5.4: + sleep(100); - assertTextPresent("Unparseable date: \"<script>alert('T5 is great'); </script>\""); + assertSourcePresent("Unparseable date: \"<script>alert('T5 is great'); </script>\""); } // TAP5-1409
