Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Minor
-
Resolution: Invalid
-
Affects Version/s: 1.7
-
Fix Version/s: None
-
Component/s: ICE-Components
-
Labels:None
-
Environment:Any
-
Support Case References:
Description
The current behavior of components such as outputLink, commandButton, etc. is to render single quotes used in any attribute as ' and double quotes as " To prevent cross site scripting, only outputText has an escape attribute.
This improvement request is to add a lesser escape attribute to commandButton, commandLink, outputLink, etc.
Basically this "soft escape" attribute would (if set to false) not escape single and double quotes. An example use case where this is needed is:
<ice:outputLink value="http://www.google.com" onclick="javascript: doSomething('important', '40');">......
In this case the onclick will render with ' for the single quotes, which will not work properly with the javascript method being called. If a softescape="false" (or similar) attribute was allowed, this situation could be solved.
Note that the XML attribute syntax allows the following:
AttValue ::= '"' ([^<&"] | Reference)* '"' | "'" ([^<&'] | Reference)* "'"
So a softescape attribute would only need to ignore the escaping of a few characters, while still maintaining security against cross site scripting.
This improvement request is to add a lesser escape attribute to commandButton, commandLink, outputLink, etc.
Basically this "soft escape" attribute would (if set to false) not escape single and double quotes. An example use case where this is needed is:
<ice:outputLink value="http://www.google.com" onclick="javascript: doSomething('important', '40');">......
In this case the onclick will render with ' for the single quotes, which will not work properly with the javascript method being called. If a softescape="false" (or similar) attribute was allowed, this situation could be solved.
Note that the XML attribute syntax allows the following:
AttValue ::= '"' ([^<&"] | Reference)* '"' | "'" ([^<&'] | Reference)* "'"
So a softescape attribute would only need to ignore the escaping of a few characters, while still maintaining security against cross site scripting.
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
| Field | Original Value | New Value |
|---|---|---|
| Priority | Major [ 3 ] | Minor [ 4 ] |
| Support Case References | https://www.icesoft.ca:4443/supportilla/show_bug.cgi?id=4970 |
| Salesforce Case | [] | |
| Fix Version/s | 2.0-Beta [ 10032 ] | |
| Assignee | Ken Fyten [ ken.fyten ] |
| Salesforce Case | [] | |
| Fix Version/s | 2.0-Alpha3 [ 10032 ] | |
| Assignee | Ken Fyten [ ken.fyten ] |
| Status | Open [ 1 ] | Closed [ 6 ] |
| Resolution | Invalid [ 6 ] |