Re: Allowing JavaScript injection using innerHTML

[JohnJ]

Thanks for you post Thomas.  You're right it's only working for me w/
JQuery.  I have created a wrapper method that uses JQuery under the
hood.

It *seems* to work.

Altho, Now it appears I have a display issue where it the embedded
gadget is the only thing displayed on the page (my host page seems to
vanish).

On to the next problem :-)



On Sep 23, 8:41 am, Thomas Broyer t.bro...@gmail.com wrote:
 On 23 sep, 02:27, JohnJ ufm...@gmail.com wrote:

  I would like to allow the following... (I know this could cause XSS
  issues but the users of this system are trusted).

  DOM.getElementById('someid').setInnerHTML(scriptalert('hello!');/
  script);

  If run this in hosted mode it appears to do nothing. If I compile and
  browse this with Firefox/Firebug it looks like the right markup is
  being added to the page but not executed.

  I am able to do this w/ JQuery or plain JavaScript I wonder if GWT is
  encoding the script tags?

 No, GWT isn't doing anything specific here; but jQuery does (using ./
 html(...), it scans for script elements in the parsed DOM and then
 execute their content with an eval()).
 As for plan JavaScript, well, I don't know how you tested it but I
 can't get it to run in any browser (tested: Chrome 4(dev), Firefox
 3.5.3, IE8 and Opera 10) with the following code:
 !DOCTYPE html
 body
 button type=button onclick=document.body.innerHTML +=
 'fooscriptalert(quot;hello!quot;)/script'Click me!/button

 Well, note that you *can* make the script run in IE if you use the
 'defer' attribute: script deferalert(hello);/script, as
 explained on the 
 MSDN:http://msdn.microsoft.com/en-us/library/ms533897(VS.85).aspx
 ...but HTML5 specs it as not executing 
 scripts:http://www.w3.org/TR/2008/WD-html5-20080610/dom.html#innerhtml0
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Google Web Toolkit group.
To post to this group, send email to google-web-toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/google-web-toolkit?hl=en
-~--~~~~--~~--~--~---

Re: Allowing JavaScript injection using innerHTML

[Thomas Broyer]

On 23 sep, 16:50, JohnJ ufm...@gmail.com wrote:
 Thanks for you post Thomas.  You're right it's only working for me w/
 JQuery.  I have created a wrapper method that uses JQuery under the
 hood.

 It *seems* to work.

 Altho, Now it appears I have a display issue where it the embedded
 gadget is the only thing displayed on the page (my host page seems to
 vanish).

 On to the next problem :-)

document.write() somewhere in the executed script?
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Google Web Toolkit group.
To post to this group, send email to google-web-toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/google-web-toolkit?hl=en
-~--~~~~--~~--~--~---

Allowing JavaScript injection using innerHTML

[JohnJ]

I would like to allow the following... (I know this could cause XSS
issues but the users of this system are trusted).

DOM.getElementById('someid').setInnerHTML(scriptalert('hello!');/
script);

If run this in hosted mode it appears to do nothing. If I compile and
browse this with Firefox/Firebug it looks like the right markup is
being added to the page but not executed.

I am able to do this w/ JQuery or plain JavaScript I wonder if GWT is
encoding the script tags?

Thanks in advance.

John
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Google Web Toolkit group.
To post to this group, send email to google-web-toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/google-web-toolkit?hl=en
-~--~~~~--~~--~--~---