RE: (royale-asjs) branch develop updated: fix: use innerHTML instead of text in Jewel SearchFilterForList text doesn't render HTML, preventing styling with useDecoration. innerHTML enables proper CSS markup.

Tue, 22 Jul 2025 10:31:57 -0700 

Sorry, I forgot to translate...
I tested it with the generated HTML:
- This was my first test:

//decorate text
{
        var txt:String = "<span style='display:contents;'>" + (filterText != "" 
?  decorateText(textData, 
textData.toUpperCase().indexOf(filterText.toUpperCase()), filterText.length) : 
textData ) + "</span>";
        COMPILE::JS
        {
                var a:UIBase = ir as UIBase;
                (ir as UIBase).element.innerHTML = sanitizeHtml(txt); //*** 
Removes "decorateText" transformations
        }
}

@Josh do you mean I could make it safe by passing sanitizeHtml to textData? (I 
also think that's the solution):

COMPILE::JS
{
        if(useDecoration)
        {
                var secureTxt:String = sanitizeHtml(textData);
                var txt:String = "<span style='display:contents;'>" + 
(filterText != "" ?  decorateText(secureTxt, 
secureTxt.toUpperCase().indexOf(filterText.toUpperCase()), filterText.length) : 
secureTxt ) + "</span>";
                var a:UIBase = ir as UIBase;
                (ir as UIBase).element.innerHTML = txt;
        }
}


Hiedra

-----Mensaje original-----
De: Maria José Esteve <mjest...@iest.com> 
Enviado el: martes, 22 de julio de 2025 19:22
Para: dev@royale.apache.org
Asunto: RE: (royale-asjs) branch develop updated: fix: use innerHTML instead of 
text in Jewel SearchFilterForList text doesn't render HTML, preventing styling 
with useDecoration. innerHTML enables proper CSS markup.

Lo probé con el HTML generado:

Esta fue mi primera prueba:
//decorate text
{
        var txt:String = "<span style='display:contents;'>" + (filterText != "" 
?  decorateText(textData, 
textData.toUpperCase().indexOf(filterText.toUpperCase()), filterText.length) : 
textData ) + "</span>";
        COMPILE::JS
        {
                var a:UIBase = ir as UIBase;
                (ir as UIBase).element.innerHTML = sanitizeHtml(txt); //*** 
Elimina las transformaciones "decorateText"
        }
}

@Josh ¿te refieres a que podría hacerlo seguro pasándole el sanitizeHtml a 
textData?:

//decorate text
if(useDecoration)
{
        var secureTxt:String = sanitizeHtml(textData);
        var txt:String = "<span style='display:contents;'>" + (filterText != "" 
?  decorateText(secureTxt, 
secureTxt.toUpperCase().indexOf(filterText.toUpperCase()), filterText.length) : 
secureTxt ) + "</span>";
        COMPILE::JS
        {
                var a:UIBase = ir as UIBase;
                (ir as UIBase).element.innerHTML = txt;
        }
                        }

Hiedra

-----Mensaje original-----
De: Josh Tynjala <joshtynj...@bowlerhat.dev> Enviado el: martes, 22 de julio de 
2025 18:46
Para: dev@royale.apache.org
Asunto: Re: (royale-asjs) branch develop updated: fix: use innerHTML instead of 
text in Jewel SearchFilterForList text doesn't render HTML, preventing styling 
with useDecoration. innerHTML enables proper CSS markup.

Did you try calling sanitizeHTML() on your entire generated HTML? Or were you 
more specific? It seems to me that you should pass only textData to 
sanitizeHTML(). You know that the HTML that you generate in SearchFilterForList 
is safe, but textData is the part that is potentially insecure.

--
Josh Tynjala
Bowler Hat LLC
https://bowlerhat.dev/


On Tue, Jul 22, 2025 at 9:37 AM Maria José Esteve <mjest...@iest.com> wrote:

> Hi Harb,
> Does this pose a security risk? Well, in principle, the HTML is 
> generated by the same bead with the text to be rendered (it adds CSS 
> for the highlighting to be displayed).
> In an initial test, I tried including the sanitizeHTML function, but 
> it removed the CSS rules, so it wasn’t usable.
>
> Do you think this is a security concern? If so… how could I implement 
> it differently?
>
> Hiedra.
>
> -----Mensaje original-----
> De: Harbs <harbs.li...@gmail.com>
> Enviado el: martes, 22 de julio de 2025 16:16
> Para: Apache Royale Development <dev@royale.apache.org>
> Asunto: Re: (royale-asjs) branch develop updated: fix: use innerHTML 
> instead of text in Jewel SearchFilterForList text doesn't render HTML, 
> preventing styling with useDecoration. innerHTML enables proper CSS markup.
>
> Where is the contents of “txt” coming from. Is using innerHTML a 
> security risk?
>
> > On Jul 22, 2025, at 5:35 AM, hie...@apache.org wrote:
> >
> > This is an automated email from the ASF dual-hosted git repository.
> >
> > hiedra pushed a commit to branch develop in repository 
> > https://gitbox.apache.org/repos/asf/royale-asjs.git
> >
> >
> > The following commit(s) were added to refs/heads/develop by this push:
> >     new 15edae07a8 fix: use innerHTML instead of text in Jewel
> SearchFilterForList text doesn't render HTML, preventing styling with 
> useDecoration. innerHTML enables proper CSS markup.
> > 15edae07a8 is described below
> >
> > commit 15edae07a8ed5db132cb8cf55424004af73510c0
> > Author: hiedra <mjest...@iest.com>
> > AuthorDate: Tue Jul 22 04:36:14 2025 +0200
> >
> >    fix: use innerHTML instead of text in Jewel SearchFilterForList
> >    text doesn't render HTML, preventing styling with useDecoration.
> innerHTML enables proper CSS markup.
> >
> >    Closes #1253
> > ---
> > .../jewel/beads/controls/textinput/SearchFilterForList.as   | 13
> +++++++++++--
> > 1 file changed, 11 insertions(+), 2 deletions(-)
> >
> > diff --git
> > a/frameworks/projects/Jewel/src/main/royale/org/apache/royale/jewel/
> > be ads/controls/textinput/SearchFilterForList.as
> > b/frameworks/projects/Jewel/src/main/royale/org/apache/royale/jewel/
> > be ads/controls/textinput/SearchFilterForList.as
> > index b684b84a7e..b91c4cd9d6 100644
> > ---
> > a/frameworks/projects/Jewel/src/main/royale/org/apache/royale/jewel/
> > be ads/controls/textinput/SearchFilterForList.as
> > +++ b/frameworks/projects/Jewel/src/main/royale/org/apache/royale/je
> > +++ we l/beads/controls/textinput/SearchFilterForList.as
> > @@ -36,6 +36,10 @@ package
> org.apache.royale.jewel.beads.controls.textinput
> >       import
> org.apache.royale.jewel.supportClasses.list.IListPresentationModel;
> >       import
> org.apache.royale.jewel.supportClasses.textinput.TextInputBase;
> >       import org.apache.royale.utils.sendEvent;
> > +     COMPILE::JS
> > +     {
> > +             import org.apache.royale.core.UIBase;
> > +     }
> >
> >       /**
> >        *  The SearchFilterForList bead class is a specialty bead 
> > that
> can
> > be used with @@ -321,8 +325,13 @@ package
> org.apache.royale.jewel.beads.controls.textinput
> >                                       //decorate text
> >                                       if(useDecoration)
> >                                       {
> > -                                             ir.text = "<span
> style='display:contents;'>" + (filterText != "" ?  
> decorateText(textData,
> textData.toUpperCase().indexOf(filterText.toUpperCase()),
> filterText.length) : textData ) + "</span>";
> > -                                     }
> > +                                             var txt:String = 
> > + "<span
> style='display:contents;'>" + (filterText != "" ?  
> decorateText(textData,
> textData.toUpperCase().indexOf(filterText.toUpperCase()),
> filterText.length) : textData ) + "</span>";
> > +                                             COMPILE::JS
> > +                                             {
> > +                                                     var a:UIBase = 
> > + ir
> as UIBase;
> > +                                                     (ir as
> UIBase).element.innerHTML = txt;
> > +                                             }
> > +                     }
> >                               } else {
> >                                       ir.visible = false;
> >                               }
> >
>
>

Reply via email to