Forums
Parallel thinking
This support forum belongs to the AlloyUI State Interaction Gallery Module.
AlloyUI State Interaction has a bug tracker here: http://issues.liferay.com/browse/AUI
| Page 1 of 1 | [ 3 posts ] |
|
I've been working on a similar Node editing module. I noticed that your editor has a similar problem as my initial rough take on it where a user might enter something that would look like an html tag say "<foo" and the result would be an invisible uneditable node.
Do you have plans to address this? Also, are there plans to make this more extensible, say with a select box or autocomplete? |
Nate CavanaughYUI Contributor
|
Hi Peter,
Thanks for the heads up. Would you mind creating a ticket here: http://issues.liferay.com/browse/AUI so we can track it? The main issue is that the node is setting the innerHTML (to take advantage of the br's), and though we're stripping all tags, we're not filtering for partial tags. So this is something we want to address (and in a more robust way than just blacklisting all html tags). Supporting more element types shouldn't be difficult to implement, since we're already using a ComboBox as the main input widget. This could be separated out to allow easier passing in of a custom element or widget type, but if you have any ideas or thoughts on how you would best like to extend it, we'd definitely be interested. Thanks Peter, |
|
I added a bug in your issue tracker with more details as to how this can potentially be exploited to cause a XSS attack.
Unfortunately, the best way to address this is probably to set up a whitelist of allowed tags and attributes, but this has to be processed prior to setting innerHTML. This is a REALLY tricky area. I'd like to see enhancements like: * Highlighting the editable node on mouseenter (not all nodes are going to say "edit me!") * Configurable editors including but not limited to text, textarea (or even a rich text editor), select box, radio buttons, checkboxes, and autocomplete. Some of these you already have. * An IO plugin that will contact the server to inform it of the change. This may be synchronous or asynchronous. |
| Page 1 of 1 | [ 3 posts ] |
| You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum |
-
Re: Sparkgrams: tiny histograms inside a DataTable
Alberto Santini 12 hours ago
-
Re: Sparkgrams: tiny histograms inside a DataTable
Juan Ignacio Dopazo 13 hours ago
-
Sparkgrams: tiny histograms inside a DataTable
Michael Malak 14 hours ago
-
Getting Started
Jonathan Kiranga 17 hours ago
-
Re: Datatable Number Rows or Records
Marco Asbreuk 22 hours ago
-
Re: Sub menus & charts overlapping.
Dennis Chen on 06/18/13
-
Re: Sub menus & charts overlapping.
Juan Ignacio Dopazo on 06/17/13
-
Sub menus & charts overlapping.
Dennis Chen on 06/17/13
Recent YUI Blog Posts
-
YUI Weekly for June 14th, 2013
Derek Gathright Jun 14th -
Pure 0.2.0 Released
Tilo Jun 12th -
YUI Weekly for June 7th, 2013
Derek Gathright Jun 7th -
YUI 3.10.3 Released to Fix Reintroduced SWF Vulnerability
Andrew Wooldridge Jun 6th -
YUI 3.10.2 Released
Andrew Wooldridge Jun 4th -
YUI Weekly for May 31st, 2013
Derek Gathright May 31st
Online Users
© 2006-2013 Yahoo! Inc. All rights reserved.
All code on this site is licensed under the BSD License unless stated otherwise.
About This Site · Security Contact Info
Powered by phpBB® Forum Software © phpBB Group