Well, would you like to submit a documentation patch? ;-) Best, -N
On Dec 16, 2007 9:47 PM, spyboost <[EMAIL PROTECTED]> wrote: > > Thanks for quick reply :) > But documentation is confusing a little bit. Almost the same text as > for stripScripts but absolutely different behavior.)) > > On 17 дек, 00:39, "Nicolás Sanguinetti" <[EMAIL PROTECTED]> wrote: > > Yeah, it's working correctly. The idea is to remove *only* the tags, > > in order to, for example, 'clean' client code. (You don't want that > > <h1> they put breaking up all your layout :)) > > > > If you look at the first example, you'll see that they remove the tag, > > but the content remains :) > > > > Best, > > -Nicolas > > > > > On Dec 16, 2007 9:34 PM, spyboost <[EMAIL PROTECTED]> wrote: > > > > > > > > > I've noticed a strange behavior of stripTags() function. > > > As the documentation says about stripTags(): Strips a string of any > > > HTML tag. > > > But this function eliminates the tags only but not the content inside. > > > I tested it with response with a mix of JSON data and some HTML code. > > > Here it is: > > > > > ******************* JSP PAGE > > > ********************************************** > > > <%@ page language="java" contentType="text/html; charset=UTF-8" > > > pageEncoding="UTF-8"%> > > > <[EMAIL PROTECTED] uri="http://www.atg.com/taglibs/json"; prefix="json" %> > > > <json:object> > > > <json:object name="elements"> > > > <json:property name="Rating" value="${rating}" /> > > > <json:property name="Count" value="${count}"/> > > > </json:object> > > > </json:object> > > > <script>alert('Bye bye');</script> > > > <div>I will survive after stripTags()</div> > > > ********************************************************************************** > > > > > Then, in my JavaScript I typed following code(responseText is > > > retrieved after AJAX execution, for simplicity I omit AJAX code and > > > provide only a piece of callback function onAjaxLoad) : > > > > > //JavaScript code > > > var responseText = responseText.stripScripts().stripTags().strip(); // > > > malicious text is still presented in response. > > > > > Function stripScripts() eliminates <script>[content]</script> tag > > > totally. But after stripTags() finished the "I will survive after > > > stripTags()" text is still presented in responseText. > > > > > Everything would be fine if the stripTags() function have worked like > > > the stripScripts() did. > > > Is it correct behavior for stripTags() function? > > > If yes, then documentation should be changed. > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Spinoffs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=en -~----------~----~----~----~------~----~------~--~---
