I think the JSON helper function should be implemented. This logic should be contained within the controller and not within the view as I would deem it business logic and not rendering logic.
On Jul 24, 7:52 pm, mdipierro <mdipie...@cs.depaul.edu> wrote: > Should we have a JSON helper (same as you JD)? > > On Jul 24, 1:15 pm, Michael Ellis <michael.f.el...@gmail.com> wrote: > > > Something good has come out of this: while looking for a workaround I > > learned about simplejson.dumps(). So now I've defined my own little helper > > JD() > > > import simplejson > > def JD(obj): > > return XML(simplejson.dumps(obj,indent=4)) > > > In my view (or controller) I can lump into one variable everything I'm going > > to need to pass into my js at render time, e.g. > > > PT = dict( > > updatenow=False, > > schartoptions = dict( > > type ='bar', > > barColor ='green', > > chartRangeMin = chartmin, > > chartRangeMax = chartmax, > > ) > > ## add more objects here ... > > ) > > > then put a single line at the top of my js script and reference everything > > as part of that namespace, e.g. > > <script type="text/javascript"> > > ... > > var PT = {{=JD(PT)}}; > > ... > > > $(#something).sparkline( ..., PT.schartoptions); > > ... > > </script> > > > The JD(PT) expands to a nicely indented js declaration, e.g. > > > var PT = { > > "updatenow": false, > > "schartoptions": { > > "chartRangeMin": 0, > > "barColor": "green", > > "type": "bar", > > "chartRangeMax": 1 > > } > > > }; > > > What's also cool is that if all or part of that declaration corresponds to > > data coming in from a getJSON() loop after the page is loaded, then > > everything's already defined and initialized. > > > This feels like a definite improvement over what I was doing before. Far > > less clutter and definitely DRY'er. > > > Cheers, > > Mike > > > On Sat, Jul 24, 2010 at 9:34 AM, Phyo Arkar <phyo.arkarl...@gmail.com>wrote: > > > > I am also doing more and more in JS for views. Even search engine for > > > tables, i am using JQGrid's local search (at latest version if JQGrid).It > > > dont need server side at all for search to work, which make it a lot > > > faster > > > + lesser hit on server performance. > > > > On Sat, Jul 24, 2010 at 7:53 PM, Michael Ellis > > > <michael.f.el...@gmail.com>wrote: > > > >> My bad. It does work. In my earlier attempt to use it I forgot that a > > >> for loop variable isn't an object reference when looping over a list of > > >> strings. So the value of schartoptions wasn't being altered at all, just > > >> the loop variable. > > > >> I'm still in favor of an alternate operator, though. As it is now, I've > > >> moved all my chart options inside the script tag e.g. > > > >> var schartoptions = { > > >> type: 'bar', > > >> barColor: 'green', > > >> chartRangeMin: '{{=chartmin}}', > > >> chartRangeMax: '{{=chartmax}}' > > >> }; > > > >> and substitute only the things that have to be determined at run time > > >> rather than clutter up my expressions by wrapping them in XML(). > > > >> I'd much rather code in python than js, but I'm beginning to feel that > > >> using more js and less python in views makes a lot of sense. > > > >> Thanks, > > >> Mike > > > >> On Sat, Jul 24, 2010 at 8:40 AM, mdipierro > > >> <mdipie...@cs.depaul.edu>wrote: > > > >>> I am confused: > > >>> Does this now work? > > > >>> {{ > > >>> schartoptions = """{ > > >>> type: 'bar', > > >>> barColor: 'green', > > >>> chartRangeMin: '%d', > > >>> chartRangeMax: '%d' > > >>> } > > >>> """%(chartmin,chartmax) > > > >>> }} > > > >>> and later on I use the variables within a script tag, e.g. > > > >>> <script type="text/javascript"> > > >>> /* <![CDATA[ */ > > >>> $("#{{=ks+kc}}").sparkline(data.wsc.{{=ks}}.{{=kc}}, > > >>> {{=XML(schartoptions)}} > > >>> </script> > > > >>> If not, what are chartmin and chartmax, are they themselves helpers? > > > >>> On Jul 24, 7:28 am, Michael Ellis <michael.f.el...@gmail.com> wrote: > > >>> > Massimo, I'm not following you. I tried using XML (see earlier post) > > >>> and it > > >>> > had no effect. Does it only work if applied immediately before the = > > >>> > operator? > > > >>> > Also, I think ":=" or something similar is much cleaner than wrapping > > >>> > everything in a function call. > > > >>> > Cheers, > > >>> > Mike > > > >>> > On Sat, Jul 24, 2010 at 8:19 AM, mdipierro <mdipie...@cs.depaul.edu> > > >>> wrote: > > >>> > > This > > > >>> > > {{:=never_escaped}} > > > >>> > > would be the same as > > > >>> > > {{=XML(ever_escaped)}} > > > >>> > > so why introduce new syntax? > > > >>> > > On Jul 24, 7:14 am, Michael Ellis <michael.f.el...@gmail.com> wrote: > > >>> > > > I could happily live with a solution that adds a 'no escape' > > >>> operator to > > >>> > > the > > >>> > > > template language, e.g. > > > >>> > > > {{:=never_escaped}} > > > >>> > > > vs > > > >>> > > > {{=always_escaped}} > > > >>> > > > 1. Backward compatible, > > > >>> > > > 2. Safe by default, > > > >>> > > > 3. Allows designer to decide what's safe and what isn't, > > > >>> > > > 4. Seems like an easier fix than trying to make the rendering > > >>> > > > code > > >>> smart > > >>> > > > enough to always distinguish js from html strings. > > > >>> > > > Just a thought, > > >>> > > > Mike > > > >>> > > > On Sat, Jul 24, 2010 at 4:02 AM, mdipierro < > > >>> mdipie...@cs.depaul.edu> > > >>> > > wrote: > > >>> > > > > Thadeus, > > > >>> > > > > This was a security fix. We had a a security review and this was > > >>> > > > > determined to be a weakness. The code by Mike Ellis broke not > > >>> because > > >>> > > > > of the fix but because it incorrectly implicitly assumed that > > >>> the > > >>> > > > > strings were HTML/XML and therefore needed escaping when, in > > >>> reality, > > >>> > > > > they were JS strings. > > > >>> > > > > If we had a review board, would you have opposed to this change? > > > >>> > > > > Massimo > > > >>> > > > > On Jul 23, 5:28 pm, Thadeus Burgess <thade...@thadeusb.com> > > >>> wrote: > > >>> > > > > > I also agree that this is a break in backwards compatibility. > > >>> It is > > >>> > > also > > >>> > > > > a > > >>> > > > > > change that was never considered for longer than 15 minutes > > >>> before > > >>> > > the > > >>> > > > > > decision to make the change was implemented. > > > >>> > > > > > I really wish we would put certain things such as this under a > > >>> review > > >>> > > > > board > > >>> > > > > > so they don't get into web2py and break things! > > > >>> > > > > > -- > > >>> > > > > > Thadeus > > > >>> > > > > > On Fri, Jul 23, 2010 at 2:33 PM, MikeEllis < > > >>> > > michael.f.el...@gmail.com > > >>> > > > > >wrote: > > > >>> > > > > > > Typo: 2 sentence in prior message should read > > > >>> > > > > > > " ... after XML() supplies the unescaped string." > > > >>> > > > > > > On Jul 23, 3:28 pm, Michael Ellis <michael.f.el...@gmail.com > > > >>> > > wrote: > > >>> > > > > > > > Urgh! FWIW, putting XML() around the strings doesn't seem > > >>> to > > >>> > > work. > > >>> > > > > > > Looks > > >>> > > > > > > > like the escaping is applied after XML() supplies the > > >>> unquoted > > >>> > > > > string. > > > >>> > > > > > > > I tried > > >>> > > > > > > > {{ > > >>> > > > > > > > for optstring in (schartoptions, countpieoptions, > > >>> cchartoptions): > > >>> > > > > > > > optstring = XML(optstring) > > >>> > > > > > > > debug("opstring=%s"%optstring) > > >>> > > > > > > > pass}} > > > >>> > > > > > > > after assigning the strings and before they are used in > > >>> inside > > >>> > > the > > >>> > > > > > > <script> > > >>> > > > > > > > tags. > > > >>> > > > > > > > The debug() calls show the strings with the single quotes > > >>> > > unescaped, > > >>> > > > > but > > >>> > > > > > > > they still end up being escaped in what gets sent to > > >>> browser. > > > >>> > > > > > > > On Fri, Jul 23, 2010 at 2:16 PM, Michael Ellis < > > >>> > > > > > > michael.f.el...@gmail.com>wrote: > > > >>> > > > > > > > > Thanks, Nathan. That's certainly a possibility. It's > > >>> just that > > >>> > > I'm > > >>> > > > > not > > >>> > > > > > > > > sure what security issue this change actually fixes. > > >>> There are > > >>> > > no > > >>> > > > > > > > > user-supplied strings in what I'm using to generate the > > >>> jQuery > > >>> > > > > calls. > > >>> > > > > > > If > > >>> > > > > > > > > that were the case, then yes it would definitely be my > > >>> > > > > responsibility > > >>> > > > > > > to > > >>> > > > > > > > > properly sanitize it. > > > >>> > > > > > > > > Have to say this feels like a loss of backward > > >>> compatibility > > >>> > > to > > >>> > > > > me. > > >>> > > > > > > I've > > >>> > > > > > > > > got a fair amount of code in this app that uses that > > >>> technique; > > >>> > > > > it's > > >>> > > > > > > already > > >>> > > > > > > > > inherently messy because of the indirection involved in > > >>> code > > >>> > > > > > > generation. > > >>> > > > > > > > > Wrapping it all in XML calls just adds to the mess. > > >>> Hope > > >>> > > there's > > >>> > > > > a > > >>> > > > > > > way to > > >>> > > > > > > > > refine the security fix so that it's confined to the > > >>> areas that > > >>> > > > > matter. > > > >>> > > > > > > > > Cheers, > > >>> > > > > > > > > Mike > > > >>> > > > > > > > > On Fri, Jul 23, 2010 at 1:56 PM, mr.freeze < > > >>> > > nat...@freezable.com> > > >>> > > > > > > wrote: > > > >>> > > > > > > > >> It was probably introduced as a security fix. You can > > >>> do: > > >>> > > > > > > > >> {{ > > >>> > > > > > > > >> schartoptions = XML("""{ > > >>> > > > > > > > >> type: 'bar', > > >>> > > > > > > > >> barColor: 'green', > > >>> > > > > > > > >> chartRangeMin: '%d', > > >>> > > > > > > > >> chartRangeMax: '%d' > > >>> > > > > > > > >> } > > >>> > > > > > > > >> """%(chartmin,chartmax)) > > >>> > > > > > > > >> }} > > > >>> > > > > > > > >> and it won't be escaped. > > > >>> > > > > > > > >> On Jul 23, 12:39 pm, Michael Ellis < > > >>> michael.f.el...@gmail.com > > > >>> > > > > wrote: > > >>> > > > > > > > >> > I've got an app with views that > > ... > > read more »