Like David said, be very careful about using NodeSeqs if you're taking user-generated content, since that can lead directly to cross-site scripting attacks and other nastiness.
Derek On Wed, Oct 21, 2009 at 7:41 AM, Jack Widman <[email protected]> wrote: > Oops. I just noticed I made source.body a String and not a NodeSeq. > Sometimes source.body is text with html tags in it. Like - > > Hey dude, <b>what</b> are you doing? > I guess I should make it a NodeSeq. Sorry about that. > Jack > > > On Wed, Oct 21, 2009 at 9:33 AM, David Pollak < > [email protected]> wrote: > >> >> >> On Wed, Oct 21, 2009 at 6:32 AM, jack <[email protected]> wrote: >> >>> >>> Let's say source.body is <a><href="google.com">Search</a>. If I put >>> source.body in a span like this - >>> >>> <span>{source.body}</span> >>> >>> source.body will be converted to text and the actual link tags will be >>> displayed. What is the right way to do this? >>> >>> >> How was source.body generated? >> >> >>> On Oct 21, 9:06 am, David Pollak <[email protected]> >>> wrote: >>> > On Tue, Oct 20, 2009 at 10:16 PM, jack <[email protected]> wrote: >>> > >>> > > OK, I see why this is happening. the {exp} in the NodeSeq convert exp >>> > > to a String. So I did by creating a string and then converting it to >>> a >>> > > NodeSeq at the end. Is there a way to do this without using and >>> > > intermediary string? >>> > >>> > I don't know what a source is, but you really, really have to be >>> careful >>> > about promoting a String to a NodeSeq. If the String has >>> user-generated >>> > content in it, then you've got a cross-site scripting vulnerability >>> waiting >>> > to happen. For user-generated content, I suggest using Textile parser >>> built >>> > into Lift. >>> > >>> > In any case, if you don't have a NodeSeq in your data structure, you'll >>> have >>> > to parse it into XML before displaying it. >>> > >>> > >>> > >>> > >>> > >>> > > On Oct 21, 1:03 am, jack <[email protected]> wrote: >>> > > > I have the following method display. source.body has html tags in >>> it >>> > > > but the actual tags are showing instead of being evaluated. e.g. >>> I'm >>> > > > seeing things like '<b>Hey There</b>' instead of 'Hey There' in >>> bold. >>> > > > This method is in a CometActor and is running when the page is >>> > > > rendered. Am I missing something obvious? >>> > >>> > > > def display(sources:List[Source]):NodeSeq = { >>> > >>> > > > <span id="joop"><table> >>> > > > { >>> > > > for {source <- sources} yield >>> <tr><td>{source.body}</td></tr> >>> > > > } >>> > >>> > > > </table> >>> > > > </span> >>> > > > } >>> > >>> > -- >>> > Lift, the simply functional web frameworkhttp://liftweb.net >>> > Beginning Scalahttp://www.apress.com/book/view/1430219890 >>> > Follow me:http://twitter.com/dpp >>> > Surf the harmonics >>> >>> >> >> >> -- >> Lift, the simply functional web framework http://liftweb.net >> Beginning Scala http://www.apress.com/book/view/1430219890 >> >> Follow me: http://twitter.com/dpp >> Surf the harmonics >> >> >> > > > -- > Jack > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/liftweb?hl=en -~----------~----~----~----~------~----~------~--~---
