You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by "John Hjelmstad (JIRA)" <ji...@apache.org> on 2009/02/24 04:04:01 UTC
[jira] Created: (SHINDIG-937) Legacy _IG_Prefs.getString/Array
methods should return unescaped prefs
Legacy _IG_Prefs.getString/Array methods should return unescaped prefs
----------------------------------------------------------------------
Key: SHINDIG-937
URL: https://issues.apache.org/jira/browse/SHINDIG-937
Project: Shindig
Issue Type: Bug
Components: Javascript
Affects Versions: trunk
Reporter: John Hjelmstad
Fix For: trunk
The gadgets.Prefs.prototype.getString/Array methods changed the semantics of the equivalent methods in _IG_Prefs, by escaping data returned from them. This was done for sensible security reasons, but unfortunately also breaks many legacy gadgets.
in order to maintain functional backward compatibility, I submit the _IG_Prefs versions should return unescaped data rather than causing random breakages.
To be clear, this change would apply *only* to the prefs retrieved via JS, not to __UP substitution.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Re: [jira] Updated: (SHINDIG-937) Legacy _IG_Prefs.getString/Array
methods should return unescaped prefs
Posted by Brian Eaton <be...@google.com>.
This looks right to me.
On Fri, Feb 27, 2009 at 1:13 PM, John Hjelmstad (JIRA) <ji...@apache.org> wrote:
>
> [ https://issues.apache.org/jira/browse/SHINDIG-937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
>
> John Hjelmstad updated SHINDIG-937:
> -----------------------------------
>
> Attachment: SHINDIG-937-2.patch
>
> Forgot to grant ASF license.
>
>> Legacy _IG_Prefs.getString/Array methods should return unescaped prefs
>> ----------------------------------------------------------------------
>>
>> Key: SHINDIG-937
>> URL: https://issues.apache.org/jira/browse/SHINDIG-937
>> Project: Shindig
>> Issue Type: Bug
>> Components: Javascript
>> Affects Versions: trunk
>> Reporter: John Hjelmstad
>> Fix For: trunk
>>
>> Attachments: SHINDIG-937-2.patch
>>
>>
>> The gadgets.Prefs.prototype.getString/Array methods changed the semantics of the equivalent methods in _IG_Prefs, by escaping data returned from them. This was done for sensible security reasons, but unfortunately also breaks many legacy gadgets.
>> in order to maintain functional backward compatibility, I submit the _IG_Prefs versions should return unescaped data rather than causing random breakages.
>> To be clear, this change would apply *only* to the prefs retrieved via JS, not to __UP substitution.
>
> --
> This message is automatically generated by JIRA.
> -
> You can reply to this email to add a comment to the issue online.
>
>
[jira] Resolved: (SHINDIG-937) Legacy _IG_Prefs.getString/Array
methods should return unescaped prefs
Posted by "John Hjelmstad (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
John Hjelmstad resolved SHINDIG-937.
------------------------------------
Resolution: Fixed
Patch committed.
> Legacy _IG_Prefs.getString/Array methods should return unescaped prefs
> ----------------------------------------------------------------------
>
> Key: SHINDIG-937
> URL: https://issues.apache.org/jira/browse/SHINDIG-937
> Project: Shindig
> Issue Type: Bug
> Components: Javascript
> Affects Versions: trunk
> Reporter: John Hjelmstad
> Fix For: trunk
>
> Attachments: SHINDIG-937-2.patch
>
>
> The gadgets.Prefs.prototype.getString/Array methods changed the semantics of the equivalent methods in _IG_Prefs, by escaping data returned from them. This was done for sensible security reasons, but unfortunately also breaks many legacy gadgets.
> in order to maintain functional backward compatibility, I submit the _IG_Prefs versions should return unescaped data rather than causing random breakages.
> To be clear, this change would apply *only* to the prefs retrieved via JS, not to __UP substitution.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-937) Legacy _IG_Prefs.getString/Array
methods should return unescaped prefs
Posted by "John Hjelmstad (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
John Hjelmstad updated SHINDIG-937:
-----------------------------------
Attachment: (was: SHINDIG-937-2.patch)
> Legacy _IG_Prefs.getString/Array methods should return unescaped prefs
> ----------------------------------------------------------------------
>
> Key: SHINDIG-937
> URL: https://issues.apache.org/jira/browse/SHINDIG-937
> Project: Shindig
> Issue Type: Bug
> Components: Javascript
> Affects Versions: trunk
> Reporter: John Hjelmstad
> Fix For: trunk
>
> Attachments: SHINDIG-937-2.patch
>
>
> The gadgets.Prefs.prototype.getString/Array methods changed the semantics of the equivalent methods in _IG_Prefs, by escaping data returned from them. This was done for sensible security reasons, but unfortunately also breaks many legacy gadgets.
> in order to maintain functional backward compatibility, I submit the _IG_Prefs versions should return unescaped data rather than causing random breakages.
> To be clear, this change would apply *only* to the prefs retrieved via JS, not to __UP substitution.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SHINDIG-937) Legacy _IG_Prefs.getString/Array
methods should return unescaped prefs
Posted by "Tim Moore (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12677619#action_12677619 ]
Tim Moore commented on SHINDIG-937:
-----------------------------------
I'm still not convinced that the returned values should be escaped even in the new API.
I couldn't find anything in the OpenSocial spec that says that they should be (please send me a link if you've seen otherwise) so it seems like it could be a potential compatibility issue with other, non-Shindig gadget renderer implementations.
Perhaps it's sensible security if it's expected that pref values would only be concatenated into innerHTML strings, but if values are intended to be used in URLs, in DOM manipulation, or really anything else, the developer has to know to unescape the value, something completely unexpected that has tripped up a fair number of developers that I've worked with.
I agree that the __UP substitution should be escaped --- that's a different beast entirely and is most often used inline within content.
> Legacy _IG_Prefs.getString/Array methods should return unescaped prefs
> ----------------------------------------------------------------------
>
> Key: SHINDIG-937
> URL: https://issues.apache.org/jira/browse/SHINDIG-937
> Project: Shindig
> Issue Type: Bug
> Components: Javascript
> Affects Versions: trunk
> Reporter: John Hjelmstad
> Fix For: trunk
>
> Attachments: SHINDIG-937-2.patch
>
>
> The gadgets.Prefs.prototype.getString/Array methods changed the semantics of the equivalent methods in _IG_Prefs, by escaping data returned from them. This was done for sensible security reasons, but unfortunately also breaks many legacy gadgets.
> in order to maintain functional backward compatibility, I submit the _IG_Prefs versions should return unescaped data rather than causing random breakages.
> To be clear, this change would apply *only* to the prefs retrieved via JS, not to __UP substitution.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-937) Legacy _IG_Prefs.getString/Array
methods should return unescaped prefs
Posted by "John Hjelmstad (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
John Hjelmstad updated SHINDIG-937:
-----------------------------------
Attachment: SHINDIG-937-2.patch
New patch attached reflecting improved implementation strategy. escape/unescape aren't inverses, so we shouldn't escape data at all.
> Legacy _IG_Prefs.getString/Array methods should return unescaped prefs
> ----------------------------------------------------------------------
>
> Key: SHINDIG-937
> URL: https://issues.apache.org/jira/browse/SHINDIG-937
> Project: Shindig
> Issue Type: Bug
> Components: Javascript
> Affects Versions: trunk
> Reporter: John Hjelmstad
> Fix For: trunk
>
> Attachments: SHINDIG-937-2.patch, SHINDIG-937.patch
>
>
> The gadgets.Prefs.prototype.getString/Array methods changed the semantics of the equivalent methods in _IG_Prefs, by escaping data returned from them. This was done for sensible security reasons, but unfortunately also breaks many legacy gadgets.
> in order to maintain functional backward compatibility, I submit the _IG_Prefs versions should return unescaped data rather than causing random breakages.
> To be clear, this change would apply *only* to the prefs retrieved via JS, not to __UP substitution.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-937) Legacy _IG_Prefs.getString/Array
methods should return unescaped prefs
Posted by "John Hjelmstad (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
John Hjelmstad updated SHINDIG-937:
-----------------------------------
Attachment: SHINDIG-937-2.patch
Forgot to grant ASF license.
> Legacy _IG_Prefs.getString/Array methods should return unescaped prefs
> ----------------------------------------------------------------------
>
> Key: SHINDIG-937
> URL: https://issues.apache.org/jira/browse/SHINDIG-937
> Project: Shindig
> Issue Type: Bug
> Components: Javascript
> Affects Versions: trunk
> Reporter: John Hjelmstad
> Fix For: trunk
>
> Attachments: SHINDIG-937-2.patch
>
>
> The gadgets.Prefs.prototype.getString/Array methods changed the semantics of the equivalent methods in _IG_Prefs, by escaping data returned from them. This was done for sensible security reasons, but unfortunately also breaks many legacy gadgets.
> in order to maintain functional backward compatibility, I submit the _IG_Prefs versions should return unescaped data rather than causing random breakages.
> To be clear, this change would apply *only* to the prefs retrieved via JS, not to __UP substitution.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-937) Legacy _IG_Prefs.getString/Array
methods should return unescaped prefs
Posted by "John Hjelmstad (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
John Hjelmstad updated SHINDIG-937:
-----------------------------------
Attachment: (was: SHINDIG-937.patch)
> Legacy _IG_Prefs.getString/Array methods should return unescaped prefs
> ----------------------------------------------------------------------
>
> Key: SHINDIG-937
> URL: https://issues.apache.org/jira/browse/SHINDIG-937
> Project: Shindig
> Issue Type: Bug
> Components: Javascript
> Affects Versions: trunk
> Reporter: John Hjelmstad
> Fix For: trunk
>
> Attachments: SHINDIG-937-2.patch
>
>
> The gadgets.Prefs.prototype.getString/Array methods changed the semantics of the equivalent methods in _IG_Prefs, by escaping data returned from them. This was done for sensible security reasons, but unfortunately also breaks many legacy gadgets.
> in order to maintain functional backward compatibility, I submit the _IG_Prefs versions should return unescaped data rather than causing random breakages.
> To be clear, this change would apply *only* to the prefs retrieved via JS, not to __UP substitution.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-937) Legacy _IG_Prefs.getString/Array
methods should return unescaped prefs
Posted by "John Hjelmstad (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
John Hjelmstad updated SHINDIG-937:
-----------------------------------
Attachment: SHINDIG-937.patch
Proposed patch is attached. The patch does create a situation in which the gadgets.Prefs instance's getString and getArray methods will be overridden if a "new _IG_Prefs" is created. This situation should be essentially nonexistent, however. Reviews most welcome... I may have missed some other side effect.
> Legacy _IG_Prefs.getString/Array methods should return unescaped prefs
> ----------------------------------------------------------------------
>
> Key: SHINDIG-937
> URL: https://issues.apache.org/jira/browse/SHINDIG-937
> Project: Shindig
> Issue Type: Bug
> Components: Javascript
> Affects Versions: trunk
> Reporter: John Hjelmstad
> Fix For: trunk
>
> Attachments: SHINDIG-937.patch
>
>
> The gadgets.Prefs.prototype.getString/Array methods changed the semantics of the equivalent methods in _IG_Prefs, by escaping data returned from them. This was done for sensible security reasons, but unfortunately also breaks many legacy gadgets.
> in order to maintain functional backward compatibility, I submit the _IG_Prefs versions should return unescaped data rather than causing random breakages.
> To be clear, this change would apply *only* to the prefs retrieved via JS, not to __UP substitution.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.