There was a case to generate dynamic form using string such as
"<div>.....</div>" and I had to use {{{ }}} to generate the form
dynamically.
Hence need a function to resolve this also.
On Fri, Jun 10, 2016 at 9:07 PM, Ayoma Wijethunga <[email protected]> wrote:
> +1 for not using "{{{".
>
> We will further check on adding such patterns ("{{{ * }}}") in planned
> Jenkins based automated security scans (static code analysis).
>
> On Fri, Jun 10, 2016 at 8:47 PM, SajithAR Ariyarathna <[email protected]>
> wrote:
>
>> +1 for abandoning "{{{"
>>
>> toClent("fromBackend.protocols", protocols);
>>
>> We can implement this in the next milestone.
>>
>> On Fri, Jun 10, 2016 at 8:12 PM, Manuranga Perera <[email protected]> wrote:
>>
>>> These are mistakes we have already made in our old systems, let's not
>>> repeat them
>>>
>>> 1) Please DO NOT use "{{{", it introduces SECURITY VULNERABILITIES,
>>> Sajith,Rasika we need to introduce a new function. Don't even tell
>>> people about "{{{"
>>> in backend JS, Hemika should be able to do the following
>>>
>>> toClent("fromBackend.protocols", protocols);
>>>
>>> and in frontend, he should be able to just
>>> console.log(fromBackend.protocols) and see the json
>>> Given the cost of this kind of vulnerabilities, I don't think we should
>>> even do this as a temp solution. We should safe stringify before sending,
>>> view source of gmail and search "var GLOBALS" and you see how safe json
>>> stringify works. ALL non-alpha-numeric has to be encoded with \x. Not just
>>> " but things like < , which are normally considered safe in json, has to be
>>> encoded [1].
>>>
>>> 2) We shouldn't manually iterating to convert to JSON. This just adds
>>> unnecessary boilerplate work dev has to do. If we implement (1) we don't
>>> need this for now. So we can discuss this later. But also see [2]
>>>
>>> [1] see "JavaScript Encoding" in
>>> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#Output_Encoding_Rules_Summary
>>> [2]
>>> http://mail.openjdk.java.net/pipermail/nashorn-dev/2013-September/002013.html
>>>
>>> On Fri, Jun 10, 2016 at 4:46 AM, Hemika Kodikara <[email protected]>
>>> wrote:
>>>
>>>> Also please note that I used JSON.stringify method in server side js.
>>>>
>>>> Hemika Kodikara
>>>> Software Engineer
>>>> WSO2 Inc.
>>>> lean . enterprise . middleware
>>>> http://wso2.com
>>>>
>>>> Mobile : +94777688882
>>>>
>>>> On Fri, Jun 10, 2016 at 2:13 PM, Hemika Kodikara <[email protected]>
>>>> wrote:
>>>>
>>>>> Thanks Rasika for the solution.
>>>>>
>>>>> In the client side JS, have the following code :
>>>>>
>>>>> <script type="text/javascript">
>>>>> var protocols = *{{{protocols}}}*;
>>>>> $.each(protocols, function(index, value) {
>>>>>
>>>>> $('#queue-subscription-protocols').append($('<option>').text(value).attr('value',
>>>>> index));
>>>>> });
>>>>> </script>
>>>>>
>>>>> Have to use 3 curly braces.
>>>>>
>>>>> Regards,
>>>>> Hemika
>>>>>
>>>>> Hemika Kodikara
>>>>> Software Engineer
>>>>> WSO2 Inc.
>>>>> lean . enterprise . middleware
>>>>> http://wso2.com
>>>>>
>>>>> Mobile : +94777688882
>>>>>
>>>>> On Fri, Jun 10, 2016 at 2:00 PM, Hemika Kodikara <[email protected]>
>>>>> wrote:
>>>>>
>>>>>> Hi Milinda,
>>>>>>
>>>>>> It is not a string array, its actually java objects that is there.
>>>>>>
>>>>>> Hi Sajith,
>>>>>>
>>>>>> I modified the nashorn script as following :
>>>>>>
>>>>>> var onRequest = function (context) {
>>>>>> var protocols = callOSGiService("org.wso2.andes.kernel.Andes",
>>>>>> "getSupportedProtocols", []);
>>>>>> var protocolStrings = [];
>>>>>> for each (var item in protocols) {
>>>>>> protocolStrings.push(item.toString());
>>>>>> }
>>>>>>
>>>>>> // var protocolsJson = JSON.stringify(protocolStrings);
>>>>>> return {"protocols" : protocolStrings};
>>>>>> };
>>>>>>
>>>>>> I am assigning the "protocols" json value to a javascript variable in
>>>>>> the client-side as following :
>>>>>>
>>>>>> var protocols =* {{protocols}}*;
>>>>>> $.each(protocols, function(index, value) {
>>>>>>
>>>>>> ('#queue-subscription-protocols').append($('<option>').text(value).attr('value',
>>>>>> index));
>>>>>> });
>>>>>>
>>>>>>
>>>>>> But I am getting the following errors when rendered the page(client
>>>>>> side js) :
>>>>>>
>>>>>> var protocols = [object Array]; <-- Syntax error
>>>>>>
>>>>>> When I use JSON.stringify in server side js, I get the following
>>>>>> output :
>>>>>>
>>>>>> var protocols =
>>>>>> ["AMQP-0-10","MQTT-default","AMQP-0-91","AMQP-8-0","AMQP-0-9"];
>>>>>> <-- Unexpected token &
>>>>>>
>>>>>> Any Idea ?
>>>>>>
>>>>>> Regards,
>>>>>> Hemika
>>>>>>
>>>>>>
>>>>>> Hemika Kodikara
>>>>>> Software Engineer
>>>>>> WSO2 Inc.
>>>>>> lean . enterprise . middleware
>>>>>> http://wso2.com
>>>>>>
>>>>>> Mobile : +94777688882
>>>>>>
>>>>>> On Fri, Jun 10, 2016 at 12:51 PM, Milinda Perera <[email protected]>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Hemika,
>>>>>>>
>>>>>>> If AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0, AMQP-0-9 are
>>>>>>> strings, following should work
>>>>>>>
>>>>>>> JSON.parse("[\"AMQP-0-10\", \"MQTT-default\", \"AMQP-0-91\",
>>>>>>> \"AMQP-8-0\", \"AMQP-0-9\"]")
>>>>>>>
>>>>>>> Accroding to [1] within array " A *value* can be a *string* in
>>>>>>> double quotes, or a *number*, or true or false or null, or an
>>>>>>> *object* or an *array*. These structures can be nested."
>>>>>>>
>>>>>>> [1] http://www.json.org/
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Mili
>>>>>>>
>>>>>>> On Fri, Jun 10, 2016 at 12:33 PM, Hemika Kodikara <[email protected]>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi All,
>>>>>>>>
>>>>>>>> I am invoking the callOSGiService method in nashorn to get a list
>>>>>>>> of protocols thats in andes of MB.
>>>>>>>>
>>>>>>>> I am getting the following output after invoking the
>>>>>>>> callOSGiService :
>>>>>>>> [AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0, AMQP-0-9]
>>>>>>>>
>>>>>>>> But need to convert it into a javascript array(Probably a String
>>>>>>>> array). Need to bind it to a dropdown(select element).
>>>>>>>>
>>>>>>>> I tried JSON.parse, but getting the following errors :
>>>>>>>>
>>>>>>>> jjs> JSON.parse("[AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0,
>>>>>>>> AMQP-0-9]");
>>>>>>>> <shell>:1 SyntaxError: Invalid JSON: <json>:1:1 Expected json
>>>>>>>> literal but found ident
>>>>>>>> [AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0, AMQP-0-9]
>>>>>>>> ^
>>>>>>>>
>>>>>>>> jjs> JSON.parse([AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0,
>>>>>>>> AMQP-0-9]);
>>>>>>>> ECMAScript Exception: SyntaxError: <shell>:1:28 Expected an operand
>>>>>>>> but found default
>>>>>>>> JSON.parse([AMQP-0-10, MQTT-default, AMQP-0-91, AMQP-8-0,
>>>>>>>> AMQP-0-9]);
>>>>>>>> ^
>>>>>>>>
>>>>>>>> My OSGi method returns a Set<ProtocolType>.
>>>>>>>>
>>>>>>>> How can I achieve this ?
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Hemika
>>>>>>>>
>>>>>>>> Hemika Kodikara
>>>>>>>> Software Engineer
>>>>>>>> WSO2 Inc.
>>>>>>>> lean . enterprise . middleware
>>>>>>>> http://wso2.com
>>>>>>>>
>>>>>>>> Mobile : +94777688882
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Dev mailing list
>>>>>>>> [email protected]
>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Milinda Perera
>>>>>>> Software Engineer;
>>>>>>> WSO2 Inc. http://wso2.com ,
>>>>>>> Mobile: (+94) 714 115 032
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> With regards,
>>> *Manu*ranga Perera.
>>>
>>> phone : 071 7 70 20 50
>>> mail : [email protected]
>>>
>>
>>
>>
>> --
>> Sajith Janaprasad Ariyarathna
>> Software Engineer; WSO2, Inc.; http://wso2.com/
>>
>
>
>
> --
> Ayoma Wijethunga
> Software Engineer
> Platform Security Team
> WSO2, Inc.; http://wso2.com
> lean.enterprise.middleware
>
> Mobile : +94 (0) 719428123 <+94+(0)+719428123>
> Blog : http://www.ayomaonline.com
> LinkedIn: https://www.linkedin.com/in/ayoma
>
> _______________________________________________
> Dev mailing list
> [email protected]
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
--
Sudharma Subasinghe,
Software Engineer,
WSO2 Inc.
Email: [email protected] <[email protected]>
Mobile : +94 710 565 157 <%2B94%20718%20210%20200>
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
