You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Guo Zhenhua <je...@gmail.com> on 2009/12/14 19:29:57 UTC
Gadget with content of url type does not work under some
circumstances
Our sample gadget:
---------------
<?xml version="1.0" encoding="UTF-8"?>
<Module>
<ModulePrefs
title="Add Prefered URL"
description="Add your Website URL to expose that as Gadget"
scrolling="true">
<Require feature="opensocial-0.8" />
<Require feature="dynamic-height" />
</ModulePrefs>
<UserPref name="WebURL" display_name="HTML Page URL" datatype="string"
required="true" default_value="http://example.com"/>
<Content type="url" href="__UP_WebURL__"/>
</Module>
---------------
Basically, in the gadget above, we have a user preference named
"WebURL". Then we specify a content element whose type is url.
<Content type="url" href="__UP_WebURL__"/>
Note: value of attribute "href" will be replaced with the value of
user preference "WebURL" when the gadget is rendered.
For example, if the value of user preference "WebURL" is
"http://www.iub.edu", the content element will be
<Content type="url" href="http://www.iub.edu"/>
Then shindig rendering server issues an HTTP redirection response to
redirect user browser to the url (http://www.iub.edu in above
example).
The problem is that shindig code applies html escape to user
preference value always.
Related code is located in class
*org.apache.shindig.gadgets.variables.UserPrefSubstituter*:
substituter.addSubstitution(Substitutions.Type.USER_PREF,
name, StringEscapeUtils.escapeHtml(value));
For example, if the value of a user preference is
"http://example.com/query?name=gerald&university=uni",
it is transformed to
"http://example.com/query?name=gerald&university=uni"
Note: "&" is escaped into sequence "&"
As a result, the url does not refer to the resource that we want to access.
Questions
1) Is my understanding correct?
2) If my understanding is correct, maybe a html unescape should be
applied to the url before http redirection is issued.
Thanks
Gerald
RE: Gadget with content of url type does not work under some circumstances
Posted by "Weygandt, Jon" <jw...@ebay.com>.
I would like to propose a change to the behavior, such that there is NO
escaping. Here's the rationale:
>From the code this change happened on March 11. None of the referenced
bugs seem to indicate a request to make the change.
The OpenSocial specification section 3.1.3(4):
http://www.opensocial.org/Technical-Resources/opensocial-spec-v09/Gadget
s-API-Specification.html#process is silent on the issue of escaping
during substitution, this could mean one of 2 things:
A) You should not do it, and Shindig no longer complies with the spec.
B) There was an oversight in the spec and someone should work to correct
it.
I think it is option (A) because: Substitutions are done many places,
the Shindig escaping is simply HTML style escaping. So for instance,
user pref substitution:
1) For "title" attribute. Since the "title" attribute may be a general
string, containers must escape it themselves. So if you substitute with
escaped strings, you get a double escape.
2) For URLs such as preloads, the example below, <script> tags, etc...
These will simply be escaped wrong.
3) For use in raw HTML - This would be correct
Jon
-----Original Message-----
From: Guo Zhenhua [mailto:jenvor@gmail.com]
Sent: Monday, December 14, 2009 10:30 AM
To: shindig-dev@incubator.apache.org
Subject: Gadget with content of url type does not work under some
circumstances
Our sample gadget:
---------------
<?xml version="1.0" encoding="UTF-8"?>
<Module>
<ModulePrefs
title="Add Prefered URL"
description="Add your Website URL to expose that as Gadget"
scrolling="true">
<Require feature="opensocial-0.8" />
<Require feature="dynamic-height" /> </ModulePrefs> <UserPref
name="WebURL" display_name="HTML Page URL" datatype="string"
required="true" default_value="http://example.com"/>
<Content type="url" href="__UP_WebURL__"/> </Module>
---------------
Basically, in the gadget above, we have a user preference named
"WebURL". Then we specify a content element whose type is url.
<Content type="url" href="__UP_WebURL__"/>
Note: value of attribute "href" will be replaced with the value of user
preference "WebURL" when the gadget is rendered.
For example, if the value of user preference "WebURL" is
"http://www.iub.edu", the content element will be
<Content type="url" href="http://www.iub.edu"/> Then shindig
rendering server issues an HTTP redirection response to redirect user
browser to the url (http://www.iub.edu in above example).
The problem is that shindig code applies html escape to user preference
value always.
Related code is located in class
*org.apache.shindig.gadgets.variables.UserPrefSubstituter*:
substituter.addSubstitution(Substitutions.Type.USER_PREF,
name, StringEscapeUtils.escapeHtml(value));
For example, if the value of a user preference is
"http://example.com/query?name=gerald&university=uni",
it is transformed to
"http://example.com/query?name=gerald&university=uni"
Note: "&" is escaped into sequence "&"
As a result, the url does not refer to the resource that we want to
access.
Questions
1) Is my understanding correct?
2) If my understanding is correct, maybe a html unescape should be
applied to the url before http redirection is issued.
Thanks
Gerald