[ http://issues.apache.org/jira/browse/TOMAHAWK-212?page=comments#action_12371688 ]
Werner Punz commented on TOMAHAWK-212: -------------------------------------- I am not sure if it is feasable at all to push a script tag into a rich edit control, there are limits on what you can to with a rich edit control at all. I think it would be better to have a script filtering enforecement so that script tags cannot reach the rich edit control at all. After all being able to push scripts into the rich edit seems to me like a huge security issue (pushing scripts for later execution in an open environment screams for the call exploit) > t:inputHtml messes up if value has </script> in it > --------------------------------------------------- > > Key: TOMAHAWK-212 > URL: http://issues.apache.org/jira/browse/TOMAHAWK-212 > Project: MyFaces Tomahawk > Type: Bug > Versions: 1.1.2-SNAPSHOT > Reporter: David > Fix For: 1.1.2-SNAPSHOT > > t:inputHTML gets the vaule into kupu by creating JS like this > myFacesKupuSet("test <script type=\"text/javascript\" > language=\"JavaScript\"></script>blah"); > because the javascript isn't in CDATA (it is in a comment) the </script> > causes the javascript to end. The code that produces the JS code I have above > needs to do one of the following... > 1. use CDATA -- not sure if this would be a good way to go with older > browsers > 2. replace occurnces of </script> with </scr" + "ipt> > so we would get > myFacesKupuSet("test <script type=\"text/javascript\" > language=\"JavaScript\"></scr" + "ipt>blah"); > Thanks -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
