I haven't seen any modern browser that has this issue -- I was trying to avoid double escaping problems when entities are already present. It looks like this is what the old igoogle escaping routines were doing as well.
On Fri, Feb 22, 2008 at 8:54 PM, Peter Valchev <[EMAIL PROTECTED]> wrote: > On Fri, Feb 22, 2008 at 2:55 PM, <[EMAIL PROTECTED]> wrote: > > Author: doll > > Date: Fri Feb 22 14:55:21 2008 > > New Revision: 630344 > > > > URL: http://svn.apache.org/viewvc?rev=630344&view=rev > > Log: > > All getField calls now return escaped data. This prevents the doEvil > flag from doing real harm in the SocialHelloWorld. As long as gadgets don't > use unescape they should be safe from bad data. > > Thanks for making this change! One comment below: > > > Changed the escapeString function to check if the passed in object is a > string (makes the opensocial code cleaner) > > > > > > > > Modified: > > incubator/shindig/trunk/features/core/util.js > > incubator/shindig/trunk/features/opensocial-reference/activity.js > > incubator/shindig/trunk/features/opensocial-reference/address.js > > incubator/shindig/trunk/features/opensocial-reference/bodytype.js > > incubator/shindig/trunk/features/opensocial-reference/email.js > > incubator/shindig/trunk/features/opensocial-reference/message.js > > incubator/shindig/trunk/features/opensocial-reference/name.js > > > incubator/shindig/trunk/features/opensocial-reference/organization.js > > incubator/shindig/trunk/features/opensocial-reference/person.js > > incubator/shindig/trunk/features/opensocial-reference/phone.js > > incubator/shindig/trunk/features/opensocial-reference/url.js > > > > Modified: incubator/shindig/trunk/features/core/util.js > > URL: > http://svn.apache.org/viewvc/incubator/shindig/trunk/features/core/util.js?rev=630344&r1=630343&r2=630344&view=diff > > > > ============================================================================== > > --- incubator/shindig/trunk/features/core/util.js (original) > > +++ incubator/shindig/trunk/features/core/util.js Fri Feb 22 14:55:21 > 2008 > > @@ -196,10 +196,14 @@ > > * @return {String} The escaped string > > */ > > escapeString : function(str) { > > - return str.replace(/</g, "<") > > - .replace(/>/g, ">") > > - .replace(/"/g, """) > > - .replace(/'/g, "'"); > > + if (typeof str == "string") { > > + return str.replace(/</g, "<") > > + .replace(/>/g, ">") > > + .replace(/"/g, """) > > + .replace(/'/g, "'"); > > Can you add '&' too: > + .replace(/&/g, "&") > > if an ampersand isn't escaped, the browser may interpret it as the > beginning of an entity and not display it. > > > + } else { > > + return str; > > + } > -- ~Kevin If you received this email by mistake, please delete it, cancel your mail account, destroy your hard drive, silence any witnesses, and burn down the building that you're in.
