On Tue, Mar 9, 2010 at 9:34 AM, Stuart Roebuck <stuart.roeb...@gmail.com>wrote:
> Ross,
>
> Thanks - yes, the NodeSeq is all generated from templates internally.
>
Then Ross's solution is the best for you.
> The end user does not have any access to change this stuff so this
> particular security issue shouldn't be a problem in this case.
>
> Stuart.
>
> On Mar 9, 5:30 pm, Ross Mellgren <dri...@gmail.com> wrote:
> > Ah yes, the reason I went through the fixHtml route is because Stuart
> specifically mentioned he wanted to process those.
> >
> > Stuart, you should make sure to properly secure this stuff -- either as
> an admin-only thing (understanding that that person has as much rights as
> you) or by scrubbing the XML thoroughly.
> >
> > -Ross
> >
> > On Mar 9, 2010, at 12:26 PM, David Pollak wrote:
> >
> >
> >
> >
> >
> > > On Tue, Mar 9, 2010 at 9:14 AM, Ross Mellgren <dri...@gmail.com>
> wrote:
> > > Try this (I haven't tested it, so there could be lurking bugs):
> >
> > > case class JQueryNodeSeq(ns: NodeSeq) extends JsExp with JQueryLeft
> with HtmlFixer {
> > > override def toJsCmd = "jQuery(" + JsStr(fixHtml("NodeSeqDialog",
> ns)).toJsCmd + ")"
> > > }
> >
> > > Ross,
> >
> > > This is good code, but introduces a potential security vulnerability.
> ;-)
> >
> > > fixHtml runs the NodeSeq through Lift's snippet handler. If you have
> web-user input, a user could type in <lift:xxxx/> and cause server-side code
> to be executed.
> >
> > > import net.liftweb.util._
> > > import Helpers._
> >
> > > Personally, I'd suggest "jQuery(" + AltXML.toXML(nodeSeq, false,
> true).encJs + ")"
> >
> > > Thanks,
> >
> > > David
> >
> > > Then JQueryNodeSeq(ns) ~> JsFunc("dialog")
> >
> > > -Ross
> >
> > > On Mar 9, 2010, at 12:06 PM, Stuart Roebuck wrote:
> >
> > > > I'm trying to produce a web page with editable content.
> >
> > > > When the user clicks an edit button on a line it uses jQuery to
> > > > display a modal dialog which allows fields of that line to be edited.
> >
> > > > I can easily produce a snippet to produce the lines using the backend
> > > > data and an XHTML template and binding etc.
> >
> > > > However, I also want the template to include the template for the
> > > > dialog. So I want the ajax button callback to send JavaScript to
> > > > instantiate the jQuery UI dialog based on the template and bindings.
> >
> > > > To build this I need to assemble a JsCmd containing the NodeSeq that
> > > > comes from the XHTML sequence and the bindings.
> >
> > > > In short, if this was straight jQuery I would have some JavaScript of
> > > > the form:
> >
> > > > $(<div title="Dialog Title">theFormNodeSeq</div>).dialog()
> >
> > > > But in my case theFormNodeSeq comes from a NodeSeq that was assembled
> > > > from part of the XHTML template and the bindings and the end result
> > > > needs to be a JsCmd.
> >
> > > > So I'm trying to do something like:
> >
> > > > JsCmds.Run("$(" + theFormNodeSeq.toString + ").dialog()")
> >
> > > > But I need to address escaping issues with the HTML and I also need
> to
> > > > pre-process any "<lift:… />" commands in theFormNodeSeq.
> >
> > > > Any advice (please)?
> >
> > > > --
> > > > You received this message because you are subscribed to the Google
> Groups "Lift" group.
> > > > To post to this group, send email to lift...@googlegroups.com.
> > > > To unsubscribe from this group, send email to
> liftweb+unsubscr...@googlegroups.com<liftweb%2bunsubscr...@googlegroups.com>
> .
> > > > For more options, visit this group athttp://
> groups.google.com/group/liftweb?hl=en.
> >
> > > --
> > > You received this message because you are subscribed to the Google
> Groups "Lift" group.
> > > To post to this group, send email to lift...@googlegroups.com.
> > > To unsubscribe from this group, send email to
> liftweb+unsubscr...@googlegroups.com<liftweb%2bunsubscr...@googlegroups.com>
> .
> > > For more options, visit this group athttp://
> groups.google.com/group/liftweb?hl=en.
> >
> > > --
> > > Lift, the simply functional web frameworkhttp://liftweb.net
> > > Beginning Scalahttp://www.apress.com/book/view/1430219890
> > > Follow me:http://twitter.com/dpp
> > > Surf the harmonics
> >
> > > --
> > > You received this message because you are subscribed to the Google
> Groups "Lift" group.
> > > To post to this group, send email to lift...@googlegroups.com.
> > > To unsubscribe from this group, send email to
> liftweb+unsubscr...@googlegroups.com<liftweb%2bunsubscr...@googlegroups.com>
> .
> > > For more options, visit this group athttp://
> groups.google.com/group/liftweb?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Lift" group.
> To post to this group, send email to lift...@googlegroups.com.
> To unsubscribe from this group, send email to
> liftweb+unsubscr...@googlegroups.com<liftweb%2bunsubscr...@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/liftweb?hl=en.
>
>
--
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Surf the harmonics
--
You received this message because you are subscribed to the Google Groups
"Lift" group.
To post to this group, send email to lift...@googlegroups.com.
To unsubscribe from this group, send email to
liftweb+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/liftweb?hl=en.
