On 2009/07/16 00:27:26, ihab.awad wrote:
Looks good, but see comments. What do you think?
http://codereview.appspot.com/88118/diff/2001/2005
File tests/com/google/caja/plugin/templates/TemplateCompilerTest.java
(right):
http://codereview.appspot.com/88118/diff/2001/2005#newcode147
Line 147: "<form action='test:///testFormRewritten'"
The default form action URL, as used here, is being added by
TemplateCompiler.java; see line 225++:
if (a.getType() == HTML.Attribute.Type.URI) {
safeValue = Nodes.getFilePositionFor(el)
.source().getUri().toString();
// ...
}
This code is generic for any URI-valued attribute; it simply selects
what it
considers a "safe value".
Should we be calling the PluginEnvironment instead to get what *it*
thinks is a
"safe" URI? Should that be [yet] an[other] callback on the
PluginEnvironment?
Wouldn't that be more consistent with your "trust the
PluginEnvironment
assertion?
It seems that a URI back to the original source code of a plugin
(which is what
the existing code does) is only "safe" if the PluginEnvironment thinks
so,
right?
yeah, but the safeValue does get sent through PluginEnvironment
rewriteUri.
if a PluginEnvironment wants a safeValue other than the automatic one,
it can do the substitution then, right?
http://codereview.appspot.com/88118
