1) Please don't put inline JS in HTML, this is an old practice, people don't do this anymore [1]. In fact, in my opinion, we should block that using Content-Security-Policy 2) If you want to send information form backbend-JS to frountend-JS please use sendToClient feature of UUF
[1] https://en.wikipedia.org/wiki/Unobtrusive_JavaScript On Tue, Feb 28, 2017 at 6:23 AM, Nuwandi Wickramasinghe <[email protected]> wrote: > Does this encoding work properly when sent in javascript attributes as > well? I recently noticed that following type of calls do not work as > expected if the value *question *contains a single quote. > > <a onclick="editQuestion('{{question}}')"> > > > On Tue, Jan 31, 2017 at 11:04 PM, Manuranga Perera <[email protected]> wrote: > >> UUF automatically escaping sensitive characters [1]. Please don't use >> 'encoding' for 'escaping'. >> >> [1] https://github.com/jknack/handlebars.java/blob/1f6c48e606dc1 >> 303d1e92a0a0eaa94120eba64fd/handlebars/src/main/java/com/ >> github/jknack/handlebars/EscapingStrategy.java#L82 >> >> On Tue, Jan 31, 2017 at 5:23 PM, Jayanga Kaushalya <[email protected]> >> wrote: >> >>> Hi Manuranga, >>> >>> This is not because of a security reason. The security question set id >>> may contains html special characters. So the set id is sent to the UI after >>> encoding to Base64. >>> >>> Thanks! >>> >>> *Jayanga Kaushalya* >>> Software Engineer >>> Mobile: +94777860160 <+94%2077%20786%200160> >>> WSO2 Inc. | http://wso2.com >>> lean.enterprise.middleware >>> >>> On Tue, Jan 31, 2017 at 10:42 PM, Manuranga Perera <[email protected]> >>> wrote: >>> >>>> >>>> ---------- Forwarded message ---------- >>>> From: Manuranga Perera <[email protected]> >>>> Date: Tue, Jan 31, 2017 at 5:11 PM >>>> Subject: Security questions are encoded >>>> To: Johann Nallathamby <[email protected]>, Jayanga Kaushalya < >>>> [email protected]>, Isura Karunaratne <[email protected]> >>>> >>>> >>>> Security questions are base64 encoded [1]. If they are encrypted (eg: >>>> RSA) or hashed (eg SHA) I can understand that it's for security reasons. >>>> All this does is obfuscation, poorly even at that, since base64 can be >>>> easily decoded. >>>> >>>> Or is it done for non-security reasons, like escaping special >>>> characters? >>>> >>>> [1] https://github.com/wso2/product-is/blob/6.0.x-C5_m3/portal/o >>>> sgi-services/org.wso2.is.portal.user.client.api/src/main/jav >>>> a/org/wso2/is/portal/user/client/api/ChallengeQuestionManage >>>> rClientServiceImpl.java#L113 >>>> >>>> -- >>>> With regards, >>>> *Manu*ranga Perera. >>>> >>>> phone : 071 7 70 20 50 >>>> mail : [email protected] >>>> >>>> >>>> >>>> -- >>>> With regards, >>>> *Manu*ranga Perera. >>>> >>>> phone : 071 7 70 20 50 >>>> mail : [email protected] >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >> >> >> -- >> With regards, >> *Manu*ranga Perera. >> >> phone : 071 7 70 20 50 >> mail : [email protected] >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > > Best Regards, > > Nuwandi Wickramasinghe > > Software Engineer > > WSO2 Inc. > > Web : http://wso2.com > > Mobile : 0719214873 > -- With regards, *Manu*ranga Perera. phone : 071 7 70 20 50 mail : [email protected]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
