I would like to propose a change to the behavior, such that there is NO escaping. Here's the rationale:
>From the code this change happened on March 11. None of the referenced bugs seem to indicate a request to make the change. The OpenSocial specification section 3.1.3(4): http://www.opensocial.org/Technical-Resources/opensocial-spec-v09/Gadget s-API-Specification.html#process is silent on the issue of escaping during substitution, this could mean one of 2 things: A) You should not do it, and Shindig no longer complies with the spec. B) There was an oversight in the spec and someone should work to correct it. I think it is option (A) because: Substitutions are done many places, the Shindig escaping is simply HTML style escaping. So for instance, user pref substitution: 1) For "title" attribute. Since the "title" attribute may be a general string, containers must escape it themselves. So if you substitute with escaped strings, you get a double escape. 2) For URLs such as preloads, the example below, <script> tags, etc... These will simply be escaped wrong. 3) For use in raw HTML - This would be correct Jon -----Original Message----- From: Guo Zhenhua [mailto:jen...@gmail.com] Sent: Monday, December 14, 2009 10:30 AM To: shindig-dev@incubator.apache.org Subject: Gadget with content of url type does not work under some circumstances Our sample gadget: --------------- <?xml version="1.0" encoding="UTF-8"?> <Module> <ModulePrefs title="Add Prefered URL" description="Add your Website URL to expose that as Gadget" scrolling="true"> <Require feature="opensocial-0.8" /> <Require feature="dynamic-height" /> </ModulePrefs> <UserPref name="WebURL" display_name="HTML Page URL" datatype="string" required="true" default_value="http://example.com"/> <Content type="url" href="__UP_WebURL__"/> </Module> --------------- Basically, in the gadget above, we have a user preference named "WebURL". Then we specify a content element whose type is url. <Content type="url" href="__UP_WebURL__"/> Note: value of attribute "href" will be replaced with the value of user preference "WebURL" when the gadget is rendered. For example, if the value of user preference "WebURL" is "http://www.iub.edu";, the content element will be <Content type="url" href="http://www.iub.edu"/> Then shindig rendering server issues an HTTP redirection response to redirect user browser to the url (http://www.iub.edu in above example). The problem is that shindig code applies html escape to user preference value always. Related code is located in class *org.apache.shindig.gadgets.variables.UserPrefSubstituter*: substituter.addSubstitution(Substitutions.Type.USER_PREF, name, StringEscapeUtils.escapeHtml(value)); For example, if the value of a user preference is "http://example.com/query?name=gerald&university=uni";, it is transformed to "http://example.com/query?name=gerald&university=uni"; Note: "&" is escaped into sequence "&" As a result, the url does not refer to the resource that we want to access. Questions 1) Is my understanding correct? 2) If my understanding is correct, maybe a html unescape should be applied to the url before http redirection is issued. Thanks Gerald
