You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "David (JIRA)" <de...@myfaces.apache.org> on 2006/03/23 19:44:18 UTC
[jira] Created: (TOMAHAWK-212) t:inputHtml messes up if value has
in it
t:inputHtml messes up if value has </script> in it
---------------------------------------------------
Key: TOMAHAWK-212
URL: http://issues.apache.org/jira/browse/TOMAHAWK-212
Project: MyFaces Tomahawk
Type: Bug
Versions: 1.1.2-SNAPSHOT
Reporter: David
Fix For: 1.1.2-SNAPSHOT
t:inputHTML gets the vaule into kupu by creating JS like this
myFacesKupuSet("test <script type=\"text/javascript\" language=\"JavaScript\"></script>blah");
because the javascript isn't in CDATA (it is in a comment) the </script> causes the javascript to end. The code that produces the JS code I have above needs to do one of the following...
1. use CDATA -- not sure if this would be a good way to go with older browsers
2. replace occurnces of </script> with </scr" + "ipt>
so we would get
myFacesKupuSet("test <script type=\"text/javascript\" language=\"JavaScript\"></scr" + "ipt>blah");
Thanks
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (TOMAHAWK-212) t:inputHtml messes up if value
has in it
Posted by "Werner Punz (JIRA)" <de...@myfaces.apache.org>.
[ http://issues.apache.org/jira/browse/TOMAHAWK-212?page=comments#action_12371688 ]
Werner Punz commented on TOMAHAWK-212:
--------------------------------------
I am not sure if it is feasable at all to push a script tag into a rich edit control, there are limits on what you can to with a rich edit control at all.
I think it would be better to have a script filtering enforecement so that script tags cannot reach the rich edit control at all.
After all being able to push scripts into the rich edit seems to me like a huge security issue (pushing scripts for later execution in an open environment screams for the call exploit)
> t:inputHtml messes up if value has </script> in it
> ---------------------------------------------------
>
> Key: TOMAHAWK-212
> URL: http://issues.apache.org/jira/browse/TOMAHAWK-212
> Project: MyFaces Tomahawk
> Type: Bug
> Versions: 1.1.2-SNAPSHOT
> Reporter: David
> Fix For: 1.1.2-SNAPSHOT
>
> t:inputHTML gets the vaule into kupu by creating JS like this
> myFacesKupuSet("test <script type=\"text/javascript\" language=\"JavaScript\"></script>blah");
> because the javascript isn't in CDATA (it is in a comment) the </script> causes the javascript to end. The code that produces the JS code I have above needs to do one of the following...
> 1. use CDATA -- not sure if this would be a good way to go with older browsers
> 2. replace occurnces of </script> with </scr" + "ipt>
> so we would get
> myFacesKupuSet("test <script type=\"text/javascript\" language=\"JavaScript\"></scr" + "ipt>blah");
> Thanks
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira