You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by hl...@apache.org on 2011/10/19 18:55:35 UTC

svn commit: r1186329 - /tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js

Author: hlship
Date: Wed Oct 19 16:55:35 2011
New Revision: 1186329

URL: http://svn.apache.org/viewvc?rev=1186329&view=rev
Log:
TAP5-1442: XSS vulnerability in calendar component

Modified:
    tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js

Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js?rev=1186329&r1=1186328&r2=1186329&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/corelib/components/datefield.js Wed Oct 19 16:55:35 2011
@@ -12,185 +12,185 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-Tapestry.DateField = Class.create( {
+Tapestry.DateField = Class.create({
 
-	// Initializes a DateField from a JSON specification.
+    // Initializes a DateField from a JSON specification.
 
-	initialize : function(spec) {
-		this.field = $(spec.field);
-		this.trigger = $(spec.field + "-trigger");
-		this.parseURL = spec.parseURL;
-		this.formatURL = spec.formatURL;
+    initialize : function(spec) {
+        this.field = $(spec.field);
+        this.trigger = $(spec.field + "-trigger");
+        this.parseURL = spec.parseURL;
+        this.formatURL = spec.formatURL;
 
-		this.trigger.observe("click", this.triggerClicked.bind(this));
+        this.trigger.observe("click", this.triggerClicked.bind(this));
 
-		this.popup = null;
-	},
+        this.popup = null;
+    },
 
-	triggerClicked : function() {
-		if (this.field.disabled)
-			return;
+    triggerClicked : function() {
+        if (this.field.disabled)
+            return;
 
-		if (this.popup == null) {
-			this.createPopup();
+        if (this.popup == null) {
+            this.createPopup();
 
-		} else {
-			if (this.popup.visible()) {
-				this.hidePopup();
-				return;
-			}
-		}
+        } else {
+            if (this.popup.visible()) {
+                this.hidePopup();
+                return;
+            }
+        }
 
-		var value = $F(this.field).escapeHTML();
+        var value = $F(this.field).escapeHTML();
 
-		if (value == "") {
-			this.datePicker.setDate(null);
+        if (value == "") {
+            this.datePicker.setDate(null);
 
-			this.positionPopup();
+            this.positionPopup();
 
-			this.revealPopup();
+            this.revealPopup();
 
-			return;
-		}
+            return;
+        }
 
-		var resultHandler = function(result) {
-			var date = new Date();
+        var resultHandler = function(result) {
+            var date = new Date();
 
-			date.setTime(result);
+            date.setTime(result);
 
-			this.datePicker.setDate(date);
+            this.datePicker.setDate(date);
 
-			this.positionPopup();
+            this.positionPopup();
 
-			this.revealPopup();
-		};
+            this.revealPopup();
+        };
 
-		var errorHandler = function(message) {
-			this.field.showValidationMessage(message);
-			this.field.activate();
-		};
+        var errorHandler = function(message) {
+            this.field.showValidationMessage(message.escapeHTML());
+            this.field.activate();
+        };
 
-		this.sendServerRequest(this.parseURL, value, resultHandler,
-				errorHandler);
-	},
+        this.sendServerRequest(this.parseURL, value, resultHandler,
+            errorHandler);
+    },
 
-	sendServerRequest : function(url, input, resultHandler, errorHandler) {
-		var successHandler = function(response) {
-			var json = response.responseJSON;
+    sendServerRequest : function(url, input, resultHandler, errorHandler) {
+        var successHandler = function(response) {
+            var json = response.responseJSON;
 
-			var result = json.result;
+            var result = json.result;
 
-			if (result) {
-				resultHandler.call(this, result);
-				return;
-			}
+            if (result) {
+                resultHandler.call(this, result);
+                return;
+            }
 
-			errorHandler.call(this, json.error);
-		}.bind(this);
+            errorHandler.call(this, json.error);
+        }.bind(this);
 
-		Tapestry.ajaxRequest(url, {
-			method : 'get',
-			parameters : {
-				input : input
-			},
-			onSuccess : successHandler
-		});
-	},
+        Tapestry.ajaxRequest(url, {
+            method : 'get',
+            parameters : {
+                input : input
+            },
+            onSuccess : successHandler
+        });
+    },
 
-	createPopup : function() {
-		this.datePicker = new DatePicker();
+    createPopup : function() {
+        this.datePicker = new DatePicker();
 
-		this.datePicker.setFirstWeekDay(this.firstDay);
+        this.datePicker.setFirstWeekDay(this.firstDay);
 
-		this.popup = $(this.datePicker.create());
+        this.popup = $(this.datePicker.create());
 
-		this.field.insert( {
-			after : this.popup
-		});
+        this.field.insert({
+            after : this.popup
+        });
 
-		this.popup.absolutize().hide();
+        this.popup.absolutize().hide();
 
-		this.datePicker.onselect = function() {
-			var date = this.datePicker.getDate();
+        this.datePicker.onselect = function() {
+            var date = this.datePicker.getDate();
 
-			var resultHandler = function(result) {
-				this.field.value = result;
+            var resultHandler = function(result) {
+                this.field.value = result;
 
-				this.hidePopup();
+                this.hidePopup();
 
-				new Effect.Highlight(this.field);
-			};
+                new Effect.Highlight(this.field);
+            };
 
-			var errorHandler = function(message) {
-				this.field.showValidationMessage(message);
-				this.field.activate();
+            var errorHandler = function(message) {
+                this.field.showValidationMessage(message.escapeHTML());
+                this.field.activate();
 
-				this.hidePopup();
-			};
+                this.hidePopup();
+            };
 
-			// If the field is blank, don't bother going to the server to parse!
+            // If the field is blank, don't bother going to the server to parse!
 
-			if (date == null) {
-				resultHandler.call(this, "");
-				return;
-			}
+            if (date == null) {
+                resultHandler.call(this, "");
+                return;
+            }
 
-			this.sendServerRequest(this.formatURL, date.getTime(),
-					resultHandler, errorHandler);
-		}.bind(this);
-	},
+            this.sendServerRequest(this.formatURL, date.getTime(),
+                resultHandler, errorHandler);
+        }.bind(this);
+    },
 
-	positionPopup : function() {
-		// The field may be a hidden field, in which csae, position the popup
-		// based on the trigger, not
-		// the hidden.
+    positionPopup : function() {
+        // The field may be a hidden field, in which csae, position the popup
+        // based on the trigger, not
+        // the hidden.
 
-		var reference = this.field.type == "text" ? this.field : this.trigger;
+        var reference = this.field.type == "text" ? this.field : this.trigger;
 
-		this.popup.clonePosition(reference, {
-			offsetTop : reference.getHeight() + 2
-		}).setStyle( {
-			width : "",
-			height : ""
-		});
-	},
+        this.popup.clonePosition(reference, {
+            offsetTop : reference.getHeight() + 2
+        }).setStyle({
+                width : "",
+                height : ""
+            });
+    },
 
-	/** Duration, in seconds, used when fading the popup in or out. */
+    /** Duration, in seconds, used when fading the popup in or out. */
 
-	FADE_DURATION : .20,
+    FADE_DURATION : .20,
 
-	hidePopup : function() {
-		new Effect.Fade(this.popup, {
-			duration : this.FADE_DURATION
-		});
-	},
+    hidePopup : function() {
+        new Effect.Fade(this.popup, {
+            duration : this.FADE_DURATION
+        });
+    },
 
-	revealPopup : function() {
+    revealPopup : function() {
 
-		// Only show one DateField popup at a time.
+        // Only show one DateField popup at a time.
 
-	if (Tapestry.DateField.activeDateField != undefined
-			&& Tapestry.DateField.activeDateField != this) {
-		Tapestry.DateField.activeDateField.hidePopup();
-	}
+        if (Tapestry.DateField.activeDateField != undefined
+            && Tapestry.DateField.activeDateField != this) {
+            Tapestry.DateField.activeDateField.hidePopup();
+        }
 
-	new Effect.Appear(this.popup, {
-		duration : this.FADE_DURATION
-	});
+        new Effect.Appear(this.popup, {
+            duration : this.FADE_DURATION
+        });
 
-	Tapestry.DateField.activeDateField = this;
-}
+        Tapestry.DateField.activeDateField = this;
+    }
 });
 
 Tapestry.DateField.localized = false;
 
 Tapestry.DateField.initLocalization = function(localization) {
-	DatePicker.months = localization.months;
-	DatePicker.days = localization.days.toArray();
+    DatePicker.months = localization.months;
+    DatePicker.days = localization.days.toArray();
 
-	Tapestry.DateField.prototype.firstDay = localization.firstDay;
+    Tapestry.DateField.prototype.firstDay = localization.firstDay;
 };
 
 Tapestry.Initializer.dateField = function(spec) {
-	new Tapestry.DateField(spec);
-}
\ No newline at end of file
+    new Tapestry.DateField(spec);
+}