On Tue, Mar 9, 2010 at 9:34 AM, Stuart Roebuck <[email protected]>wrote:
> Ross, > > Thanks - yes, the NodeSeq is all generated from templates internally. > Then Ross's solution is the best for you. > The end user does not have any access to change this stuff so this > particular security issue shouldn't be a problem in this case. > > Stuart. > > On Mar 9, 5:30 pm, Ross Mellgren <[email protected]> wrote: > > Ah yes, the reason I went through the fixHtml route is because Stuart > specifically mentioned he wanted to process those. > > > > Stuart, you should make sure to properly secure this stuff -- either as > an admin-only thing (understanding that that person has as much rights as > you) or by scrubbing the XML thoroughly. > > > > -Ross > > > > On Mar 9, 2010, at 12:26 PM, David Pollak wrote: > > > > > > > > > > > > > On Tue, Mar 9, 2010 at 9:14 AM, Ross Mellgren <[email protected]> > wrote: > > > Try this (I haven't tested it, so there could be lurking bugs): > > > > > case class JQueryNodeSeq(ns: NodeSeq) extends JsExp with JQueryLeft > with HtmlFixer { > > > override def toJsCmd = "jQuery(" + JsStr(fixHtml("NodeSeqDialog", > ns)).toJsCmd + ")" > > > } > > > > > Ross, > > > > > This is good code, but introduces a potential security vulnerability. > ;-) > > > > > fixHtml runs the NodeSeq through Lift's snippet handler. If you have > web-user input, a user could type in <lift:xxxx/> and cause server-side code > to be executed. > > > > > import net.liftweb.util._ > > > import Helpers._ > > > > > Personally, I'd suggest "jQuery(" + AltXML.toXML(nodeSeq, false, > true).encJs + ")" > > > > > Thanks, > > > > > David > > > > > Then JQueryNodeSeq(ns) ~> JsFunc("dialog") > > > > > -Ross > > > > > On Mar 9, 2010, at 12:06 PM, Stuart Roebuck wrote: > > > > > > I'm trying to produce a web page with editable content. > > > > > > When the user clicks an edit button on a line it uses jQuery to > > > > display a modal dialog which allows fields of that line to be edited. > > > > > > I can easily produce a snippet to produce the lines using the backend > > > > data and an XHTML template and binding etc. > > > > > > However, I also want the template to include the template for the > > > > dialog. So I want the ajax button callback to send JavaScript to > > > > instantiate the jQuery UI dialog based on the template and bindings. > > > > > > To build this I need to assemble a JsCmd containing the NodeSeq that > > > > comes from the XHTML sequence and the bindings. > > > > > > In short, if this was straight jQuery I would have some JavaScript of > > > > the form: > > > > > > $(<div title="Dialog Title">theFormNodeSeq</div>).dialog() > > > > > > But in my case theFormNodeSeq comes from a NodeSeq that was assembled > > > > from part of the XHTML template and the bindings and the end result > > > > needs to be a JsCmd. > > > > > > So I'm trying to do something like: > > > > > > JsCmds.Run("$(" + theFormNodeSeq.toString + ").dialog()") > > > > > > But I need to address escaping issues with the HTML and I also need > to > > > > pre-process any "<lift:… />" commands in theFormNodeSeq. > > > > > > Any advice (please)? > > > > > > -- > > > > You received this message because you are subscribed to the Google > Groups "Lift" group. > > > > To post to this group, send email to [email protected]. > > > > To unsubscribe from this group, send email to > [email protected]<liftweb%[email protected]> > . > > > > For more options, visit this group athttp:// > groups.google.com/group/liftweb?hl=en. > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "Lift" group. > > > To post to this group, send email to [email protected]. > > > To unsubscribe from this group, send email to > [email protected]<liftweb%[email protected]> > . > > > For more options, visit this group athttp:// > groups.google.com/group/liftweb?hl=en. > > > > > -- > > > Lift, the simply functional web frameworkhttp://liftweb.net > > > Beginning Scalahttp://www.apress.com/book/view/1430219890 > > > Follow me:http://twitter.com/dpp > > > Surf the harmonics > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "Lift" group. > > > To post to this group, send email to [email protected]. > > > To unsubscribe from this group, send email to > [email protected]<liftweb%[email protected]> > . > > > For more options, visit this group athttp:// > groups.google.com/group/liftweb?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Lift" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<liftweb%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/liftweb?hl=en. > > -- Lift, the simply functional web framework http://liftweb.net Beginning Scala http://www.apress.com/book/view/1430219890 Follow me: http://twitter.com/dpp Surf the harmonics -- You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
