You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@velocity.apache.org by "Christopher Schultz (JIRA)" <ve...@apache.org> on 2005/10/16 17:04:48 UTC
[jira] Updated: (VELTOOLS-52) ValidatorTool javascript generator can generate invalid Javascript
[ http://issues.apache.org/jira/browse/VELTOOLS-52?page=all ]
Christopher Schultz updated VELTOOLS-52:
----------------------------------------
Attachment: ValidatorTool.diff
Patch to fix output escaping.
This replaces ValidatorToo.escapeQuotes with a method that escapes not only double quotes, but also single-quotes, backslashes, carriage-returns, and newlines. I also applied this method to more than just the error messages for each validation rule, but also to the variable values themselves.
> ValidatorTool javascript generator can generate invalid Javascript
> ------------------------------------------------------------------
>
> Key: VELTOOLS-52
> URL: http://issues.apache.org/jira/browse/VELTOOLS-52
> Project: VelocityTools
> Type: Bug
> Components: VelocityStruts
> Versions: 1.2
> Environment: Using JDK1.4.2 / Linux 2.4 kernel / Tomcat 4.1
> Reporter: Christopher Schultz
> Assignee: Nathan Bubna
> Fix For: 1.2
> Attachments: ValidatorTool.diff
>
> ValidatorTool can create invalid javascript in a few situations.
> Here is an example of such a situation and also an example of the invalid javascript it generates.
> Suppose you have the following dynamic action form validation rules defined (this is actually text field which is intended to be used as an "other" input when a drop-down has the value of "Other").
> <pre>
> <field property="selectOther"
> depends="validwhen,maxlength"
> page="1">
> <arg0 key="prompt.selectOther"/>
> <arg1 name="maxlength" key="${var:maxlength}" resource="false" />
> <var><var-name>maxlength</var-name><var-value>255</var-value></var>
> <var>
> <var-name>test</var-name>
> <var-value>
> (((select == "Other") and (*this* != null)) or
> (select != "Other"))
> </var-value>
> </var>
> </field>
> </pre>
> When ValidatorTool generates Javascript for this, you get the following:
> <pre>
> .
> .
> .
> this.a3 = new Array("orgTypeOther", "The field Organization Type cannot be greater than 255 characters.", new Function ("varName", "this.maxlength='255'; this.test='(((orgType == "Other") and (*this* != null)) or
> (orgType != "Other"))'; return this[varName];"));
> .
> .
> .
> </pre>
> Note that there is a newline in the string literal (invalid) and that the double-quotes used in my "validwhen" rule have not been escaped, which prematurely ends the double-quoted string starting with <code>"this.maxlength</code>, which really confuses the Javascript interpreter.
> It turns out that switching from double-quotes to single-quotes doesn't help, since there are also single-quoted strings within that double-quoted string, so basically it won't work no matter what you do (since backslash-escaping the quotes will cause the validwhen test itself to become invalid.
> I see two solutions: properly escape the variable values being dumped into Javascript, or avoid adding the "test" variable to the Javascript, since it will be ignored, anyway.
> I propose fixing the escaping, since there may be other validator "var" values with this same problem.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-dev-help@jakarta.apache.org