2 messages in net.java.dev.mirage.devRe: Code review for fixing the script...| From | Sent On | Attachments |
|---|---|---|
| Karthik Sudarshan | Mar 24, 2008 1:56 am | |
| joshna | Mar 24, 2008 2:06 am |
| Subject: | Re: Code review for fixing the script issue | |
|---|---|---|
| From: | joshna (Josh...@Sun.COM) | |
| Date: | Mar 24, 2008 2:06:47 am | |
| List: | net.java.dev.mirage.dev | |
Go...
Karthik Sudarshan wrote:
Hi all, In the Xinha editor, if a <script> element is provided, then it is stored as is, and hence executed by the browser, when the template is applied.
The fix for this is to encode the <script element so that it is displayed as is. I've modified the TemplateBean since, the api and impl uses Freemarker templating language, which is not specific to HTML alone.
Code diff:
Index: mirage-portlets/customContentDefinitions/src/java/com/sun/portal/cms/portlet/ccd/beans/TemplateBean.java ===================================================================
--- mirage-portlets/customContentDefinitions/src/java/com/sun/portal/cms/portlet/ccd/beans/TemplateBean.java (revision 230) +++ mirage-portlets/customContentDefinitions/src/java/com/sun/portal/cms/portlet/ccd/beans/TemplateBean.java (working copy) @@ -121,8 +121,8 @@ return this.templateName; }
- public void setTemplateMarkup(String templateMarkup){ - this.templateMarkup=templateMarkup; + public void setTemplateMarkup(String templateMarkup){ + this.templateMarkup=encodeTemplateMarkup(templateMarkup); }
public String getTemplateMarkup(){ @@ -392,6 +392,16 @@ } return "templateSaved"; } + + private String encodeTemplateMarkup(String templateMarkup) { + if(templateMarkup == null || templateMarkup.trim().length() == 0){ + return templateMarkup; + } + + String encodedMarkup = templateMarkup.trim(); + encodedMarkup = encodedMarkup.replaceAll("<script", "<script").replaceAll("</script", "</script"); + return encodedMarkup; + }
private void resetFields(){ templateName=null;
Regards, Karthik
-- The mistake people make while designing completely foolproof systems is underestimating the ingenuity of complete fools.