Forums

Posting in these forums is disabled. These forums will be available for archive purposes. Please join the new forums at the links below:

  • yui-support - replaces the `YUI 3.x` and `YUI 3 Gallery` forums.
    We have created the following discussion categories within this group to aid discoverability for these most-used topics:
    • Charts for YUI Charts support.
    • DataTable for YUI DataTable support.
    • Gallery for YUI Gallery support, including support for published Gallery components as well as the Gallery process in general.
    • Tools for support of YUI’s suite of developer tools such as selleck, shifter, grover, yogi, etc.
    • Everything Else for questions that don’t fit one of the categories above, we’ve got you covered here.
  • yui-deprecated - replaces the `YUI 2.x` forum and the forums of other deprecated products (`YUI Doc`, `Builder`, `YUI PHP Loader`, etc.).
  [ 3 posts ]
New Topic | Post Reply | Print view
Previous topic | Next topic

Peter Peterson

YUI Contributor

  • Username: linuxpete
  • Joined: Tue Mar 03, 2009 1:02 pm
  • Posts: 10
  • GitHub: petey
  • Gists: petey
  • Offline
  • Profile

Parallel thinking

Post Posted: Tue Jun 15, 2010 8:50 am
I've been working on a similar Node editing module. I noticed that your editor has a similar problem as my initial rough take on it where a user might enter something that would look like an html tag say "<foo" and the result would be an invisible uneditable node.

Do you have plans to address this? Also, are there plans to make this more extensible, say with a select box or autocomplete?

Nate Cavanaugh

YUI Contributor

  • Offline
  • Profile
Tags:
  • node
  • ticket

Re: Parallel thinking

Post Posted: Mon Jun 21, 2010 11:08 pm
Hi Peter,
Thanks for the heads up. Would you mind creating a ticket here: http://issues.liferay.com/browse/AUI so we can track it?

The main issue is that the node is setting the innerHTML (to take advantage of the br's), and though we're stripping all tags, we're not filtering for partial tags.
So this is something we want to address (and in a more robust way than just blacklisting all html tags).

Supporting more element types shouldn't be difficult to implement, since we're already using a ComboBox as the main input widget.
This could be separated out to allow easier passing in of a custom element or widget type, but if you have any ideas or thoughts on how you would best like to extend it, we'd definitely be interested.

Thanks Peter,

Peter Peterson

YUI Contributor

  • Username: linuxpete
  • Joined: Tue Mar 03, 2009 1:02 pm
  • Posts: 10
  • GitHub: petey
  • Gists: petey
  • Offline
  • Profile
Tags:
  • autocomplete
  • editor
  • io
  • node
  • plugin

Re: Parallel thinking

Post Posted: Wed Jun 23, 2010 10:46 am
I added a bug in your issue tracker with more details as to how this can potentially be exploited to cause a XSS attack.

Unfortunately, the best way to address this is probably to set up a whitelist of allowed tags and attributes, but this has to be processed prior to setting innerHTML. This is a REALLY tricky area.

I'd like to see enhancements like:
* Highlighting the editable node on mouseenter (not all nodes are going to say "edit me!")
* Configurable editors including but not limited to text, textarea (or even a rich text editor), select box, radio buttons, checkboxes, and autocomplete. Some of these you already have.
* An IO plugin that will contact the server to inform it of the change. This may be synchronous or asynchronous.
  [ 3 posts ]
New Topic | Post Reply | Print view
Previous topic | Next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum