On 14 September 2015 at 11:52, Florian Apolloner <f.apollo...@gmail.com> wrote:
> > > On Monday, September 14, 2015 at 1:17:37 AM UTC+2, jasbligh wrote: >> >> I'd propose solving as follows >> 1) use the autofocus attribute when creating the form. This will work for >> IE10+ http://caniuse.com/#feat=autofocus It can also be done by >> including a creating a few targeted one line js files and including instead >> of the inline. It just seems a lot of http overhead to save users of two >> old browsers having to click into a text input. >> > > Why would we need one-line js files? If we decide against the autofocus > attribute (this might get a little bit hard with the forms framework), we > can still put a data-autofocus="#someif" into the body element and then add > a handler for that. > Perfect, would you know where would be best to place the js in that case? (I've got the attribute working with the forms framework though) > >> 2) use <script type="application/json" technique instead. >> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#HTML_entity_encoding >> <https://www.google.com/url?q=https%3A%2F%2Fwww.owasp.org%2Findex.php%2FXSS_%2528Cross_Site_Scripting%2529_Prevention_Cheat_Sheet%23HTML_entity_encoding&sa=D&sntz=1&usg=AFQjCNGcE78hK_TQMoGkHbDhhc4im0kAlg> >> > > Makes sense, depending on the actual parameters data attributes could make > sense too for a few things. Oh, btw please do not handwrite JSON in > templates, either do it in the view or use a filter to actually create JSON > which then only needs to go through the autoescape filter I think (In that > sense there is also not really a need for escapejs as far as I see it, but > I might be wrong). > > I'll put the json in views or a filter. There was a very relevant discussion on this before with a gist by David Evans https://groups.google.com/forum/#!msg/django-developers/RNMs5YbKeRY/ZtewE89xu_4J > 3) instead of hrefs pointing to javascript:void(0) change these to simply >> #javascriptvoid. Other places use code inline code in the javascript: href. >> These could be changed to use #javascriptvoid too and the code moved to a >> function that is linked to the element using jQuery or the addEvent method >> from core.js as appropriate. >> > > Sounds good, do we need a target for the hrefs at all though? > If it was my project I wouldn't have a target, that's my preferred style. But felt if the code already have javascript:void(0) someone felt the need for a href attribute and as my first contribution I didn't want to be changing too much. > > Cheers, > Florian > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To post to this group, send email to django-developers@googlegroups.com. > Visit this group at http://groups.google.com/group/django-developers. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/a10e49d9-32c8-475a-ae13-f07dcc8d3b5e%40googlegroups.com > <https://groups.google.com/d/msgid/django-developers/a10e49d9-32c8-475a-ae13-f07dcc8d3b5e%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CACgOoA-yoQ-spUHoJvm95RWNRrGF_MxGnv6Z_e7nTeh_yKW9QQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
