You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shindig.apache.org by "Tim Moore (JIRA)" <ji...@apache.org> on 2009/02/28 02:45:19 UTC

[jira] Commented: (SHINDIG-937) Legacy _IG_Prefs.getString/Array methods should return unescaped prefs

    [ https://issues.apache.org/jira/browse/SHINDIG-937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12677619#action_12677619 ] 

Tim Moore commented on SHINDIG-937:
-----------------------------------

I'm still not convinced that the returned values should be escaped even in the new API.

I couldn't find anything in the OpenSocial spec that says that they should be (please send me a link if you've seen otherwise) so it seems like it could be a potential compatibility issue with other, non-Shindig gadget renderer implementations.

Perhaps it's sensible security if it's expected that pref values would only be concatenated into innerHTML strings, but if values are intended to be used in URLs, in DOM manipulation, or really anything else, the developer has to know to unescape the value, something completely unexpected that has tripped up a fair number of developers that I've worked with.

I agree that the __UP substitution should be escaped --- that's a different beast entirely and is most often used inline within content.

> Legacy _IG_Prefs.getString/Array methods should return unescaped prefs
> ----------------------------------------------------------------------
>
>                 Key: SHINDIG-937
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-937
>             Project: Shindig
>          Issue Type: Bug
>          Components: Javascript 
>    Affects Versions: trunk
>            Reporter: John Hjelmstad
>             Fix For: trunk
>
>         Attachments: SHINDIG-937-2.patch
>
>
> The gadgets.Prefs.prototype.getString/Array methods changed the semantics of the equivalent methods in _IG_Prefs, by escaping data returned from them. This was done for sensible security reasons, but unfortunately also breaks many legacy gadgets.
> in order to maintain functional backward compatibility, I submit the _IG_Prefs versions should return unescaped data rather than causing random breakages.
> To be clear, this change would apply *only* to the prefs retrieved via JS, not to __UP substitution.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.