Announcement

Collapse
No announcement yet.
X
Collapse
  • Page of 1
  • Filter
  • Time
Clear All
new posts
Previous template Next
    #1

    HTML escaping of data in ListGrid fields

    Dear all,

    I am using a ListGrid.
    If this data is containg XML like text, e.g. <n.a.>, the browser is hiding this data, because it interpretes this text as an unknown HTML tag.

    Is it possible to define a mode for a ListGrid field which says: this represents raw text, if it contains special HTML characters, escape it before dumping on screen?
    I know a similar thing in Struts. When you are using the write tag, you can specify by an attribute, if the data should filtered.

    I would like to avoid escaping the data manually (e.g by record.setAttribute("xxx", escape(data))...

    The problem with this solution is: If the cells are editable, I have to convert it back if the user starts edit mode for a field and vice versa.

    Do you have any suggestions?

    Thank you very much.

    Best Regards

    Uwe
    Tags: None
    #2
    We have the same question. Anyone can answer this?

    Thanks,

    Comment

      #3
      @yavery In SmartClient, you can call value.toString().asHTML() to get simple escaping. Note this is *not* intended as a cross-site scripting prevention mechanism - for that, as with other web applications, use server-side scanning and strip out or reject any unsafe data prior to saving.

      Comment

        #4
        We'll add a helper method in StringUtil to do this.

        Comment

          #5
          You have provided a method-based solution to this issue, but is there an attribute-based method to change the way a cell renders its content? I am having a similar problem with some content that consists of HTML code. Having the text "&frac12;" in a database record causes the grid to simply not display. I would like for the grid to NOT render this as the HTML one-half character, but rather leave it as the user typed it: &frac12;

          Comment

            #6
            What exactly do you propose for the following situation:

            1) Our users will input text values in standard isomorphic input boxes. Those
            may or may not contain special characters like &, etc ...

            2) We want to have the information serialized into the database exactly as
            the user has input it, with the & (no &amp; etc) ... So that if we
            output it anywhere (HTML or not), we get those characters, as-is.

            3) We also need to have this information displayed inside lists which are
            HTML based, but for some reason, ListGrid doesn't escape these codes (using the proposed
            technique) before rendering. Also, any other HTML based component has that
            behavior (no escaping before rendering).

            4) We are not looking for any script-injection prevention techniques, at least for now ...

            We are concerned with #3 ... Do we need to override the ListGrid control to
            have the escaping done ? Shouldn't that be built-in ?

            Any proposed strategy to have this taken care of in the most global way ... We
            don't want to have exceptions coded all over the place to take care of this ...

            Kind regards,

            Comment

              #7
              To get what you want, don't process the value as it's being saved at all, and add a formatCellValue() override to call String.asHTML(). It's not automatic because some applications want the formatting taking literally and some don't.

              Note (mostly for others): it's a security issue to allow user-entered HTML directly into the database and allow it to be delivered to the client-side. It's only OK for this user because they've explicitly stated they aren't worried about this class of attack (presumably all users are trusted).

              Comment

                #8
                Would this mean we'd need to override TreeGrid, ListGrid, TextItem (canEdit=false) SelectItem and
                any other control that can display data which can be input by the user and potentially contain HTML
                reserved characters?

                Wouldn't it be simpler to just have a boolean attribute on these controls so we could have this built-in ?

                Our application is highly meta driven and almost everything can be entered by the user (menus, captions, labels, etc),
                therefore this problem is being encountered all over the place. We need a generic solution which can
                be implemented in one or as least places as possible.

                Any further insight on how this can be tackled/achieved in the most generic way?

                Thanks again for your help,

                Comment

                  #9
                  Use a SimpleType. If you create one with a normalDisplayFormatter and shortDisplayFormatter that use asHTML() to do the escaping, all dataBoundComponents (basically your list below) will pick up that behavior whenever you declare a field with that type.

                  Comment

                  Previous template Next
                  Working...
                  X