Hi Daniele, does not render as a non breaking space when serving a page as application/xhtml+xml mime type. Only the core named xml entities (> < " etc…) render correctly. You should use the numbered entity   for compatibility. I know Wonder uses a lot of named HTML entities, but if you ever work with real xhtml you will curse them.
I would not advise making escapeHTML=true by default. I suspect you will open yourself up to lots of XSS attacks that way as the default has always been false. Those of us designing components have not explicitly stated false in a binding in most places. Furthermore, if you are using WOString to inject lots of HTML, you're doing it wrong. HTML belongs in the WODynamicElements and WOComponents. I make the singular exception for localized strings because creating localized components is typically overkill and creates lots of tedious redundancy. In the localized string case (GSVExceptionViewer sounds like one) you should escapeHTML=false, so the component should be patched. You simply must remember that you cannot redisplay a value directly back to the user without potentially opening yourself up to a cross site scripting attack. You should escape the value string before redisplaying it. Ramsey On Nov 7, 2012, at 6:42 AM, Daniele Corti wrote: > Hi list, > maybe stupid question, but, is there a way to define the default behaviour of > WOString? > > I mean WOString binding have as default: > > escapeHTML = true; > valueWhenEmpty = ""; > > In most parts of my WebApps I define escapeHTML = "$false" and valueWhenEmpty > = " ", not just in Tables, to get correct HTML from WOString. > > The problems occurs when I use components from third parts, where I cannot > change the behaviour of subcomponents. > > For Example, I use the Validity.framework's GSVExceptionViewer component, to > display errors. > > I've notice errors coming from EOEnterpriseObject.checkConsistency() method > have some HTML inside the text (e.g in class User, if email field is empty, > return "Please provide a <b>Email</b>."), so when I display the error the > HTML is escaped and rendered in the page, that is not very beautiful. > To avoid this, I have changed the Component .wod file, in order to use > escapeHTML = false; on WOStrings binds, but it would be nice to do this > globally. > > So, the question: is there a way to change default behavior of WOString, > without subclassing it? For example a key in Properties file? > > Thanks in advance! > > -- > Daniele Corti > -- > I DON'T DoubleClick > > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) > Help/Unsubscribe/Update your Subscription: > https://lists.apple.com/mailman/options/webobjects-dev/ramseygurley%40gmail.com > > This email sent to ramseygur...@gmail.com _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
