Problem with WAScriptTag content escaping, when nested into a WAScriptTag

Hi!

If you try this example:

renderContentOn: html

   html div
      id: 'x';
      with: 'foo'.
   html script: (
      html element
         id: 'x';
         update: [ :r | html script: 'alert(1)' ]

Seaside2.8a1-pmm.573 renders this for the script tag:

<script type="text/javascript">
/*<![CDATA[*/$('x').update('<script
type="text/javascript">/*<![CDATA[*/alert(1)/*]]>*/
</script>
')/*]]>*/

It appears in the browser like this:

foo
')/*]]>*/

And you get an "unterminated string literal" javascript error.
Maybe the second paragraph of this:
http://en.wikipedia.org/wiki/CDATA#Uses_of_CDATA_sections is related
to the problem.

Thanks, Balázs
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

2008/10/15 Balázs Kósi <[hidden email]>: You use the wrong renderer you use html but should use r.

Cheers
Philippe

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

Hi!

> You use the wrong renderer you use html but should use r.
I usually get it right :-/

I corrected it, but get the same results.
The basic problem is, as far as I understand, that it renders nested CDATA-s,
but CDATA section-s can't be nested.

Thanks, Balázs
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

2008/10/15, Balázs Kósi <[hidden email]>:
> Hi!
>
>> You use the wrong renderer you use html but should use r.
> I usually get it right :-/
>
> I corrected it, but get the same results.

You're probably doing it wrong, ti should probably be something like:

update: [ :r | r script alert: 1 ]

Cheers
Philippe

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

> You're probably doing it wrong, ti should probably be something like:
>
> update: [ :r | r script alert: 1 ]

In the block r is not an SUFactory, but a WARenderCanvas, so r script
gives you a WAScriptTag.

Cheers, Balázs
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

Balázs Kósi wrote:
Haven't you given two different entities (div & element) the same id?
Ids must be unique or browsers do weird things.

cheers
Steve
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

In this case 'element' produces a little scriptaculous helper object and setting its 'id' indicates which actual dom element it should operate on.

-Boris

--
+1.604.689.0322
DeepCove Labs Ltd.
4th floor 595 Howe Street
Vancouver, Canada V6C 2T5
http://tinyurl.com/r7uw4

[hidden email]

CONFIDENTIALITY NOTICE

This email is intended only for the persons named in the message header. Unless otherwise indicated, it contains information that is private and confidential. If you have received it in error, please notify the sender and delete the entire message including any attachments.

Thank you.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Steve Aldred
Sent: Wednesday, October 15, 2008 4:19 PM
To: Seaside - general discussion
Subject: Re: [Seaside] Problem with WAScriptTag content escaping, when nestedinto a WAScriptTag

Balázs Kósi wrote:
Haven't you given two different entities (div & element) the same id?
Ids must be unique or browsers do weird things.

cheers
Steve
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

Hi!

I concluded for now that rendering <script> tags with  SUElemet >>
update: is to be avoided.

Cheers, Balázs
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

> I concluded for now that rendering <script> tags with  SUElemet >>
> update: is to be avoided.

Try to avoid inline script-tags at all cost. In addition to the
problems you observed, inline scripts are executed _while the page is
loading_ and might cause errors because the DOM tree hasn't been
loaded completely. See the shipped example code, nobody is creating
<script> tags like this.

I might have missed something in the thread, but I don't really
understand what you are trying to do with your example. Why do you
need the div tag at all?

Anyway, to get a message on page load you can write:

    self session addLoadScript: (html javascript alert: 1)

Or to manipulate the DOM of a particular element write:

    html div script: (html element update: [ :r | r text: 'Hello' ])

Best of all, you don't even need to think of unique IDs here.

Cheers,
Lukas

--
Lukas Renggli
http://www.lukas-renggli.ch
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

> I might have missed something in the thread, but I don't really
> understand what you are trying to do with your example. Why do you
> need the div tag at all?
I tried to strip down the example, and it lost its meaning in the process.

My goal is to create a form, where the user sees the values as parts
of a sentence.
When a value is clicked, i replace it with an editor for the value,
much like the 'in-place-editor'.

So I got to this problem of nested CDATA-s, like: set up a click
observer for the values div,
which replaces the div contents with html for the editor, which
contained a <script> tag.

Thanks for the hints!

Balázs
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

Balázs Kósi wrote:
Couldn't you do that with a span containing another span (with your
text) with an onClick? The onclick invokes an updater to update the
outer span content with your editor - no scripts needed.

You need two spans else your next click fires it again.

cheers
Steve
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

> Couldn't you do that with a span containing another span (with your text)
> with an onClick? The onclick invokes an updater to update the outer span
> content with your editor - no scripts needed.
I do almost exactly that. A div in a div, with an onClick handler,
but it uses an element update instead of an ajax updater, because
i want it to respond immediately.
It renders like this:

<div id="id2">
  <div onclick="$('id2').update('...html for the editor with <script>
tags...')"> static text </div>
</div>

Maybe I could just render both the static text, and the editor, and
toggle their visibility.
And yeah, probably I should use span-s.

Thanks, Balázs
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside