I'm working on a GXT app that reads content from database and display on the screen for user to edit.

Unfortunately, some of the data is not html safe (e.g., has <>), for some of the components it is easy to write a renderer to filter out/convert the html tags. But it is more difficult in some other (like xtemplate).

I could process it on the server side at the service level but it could get complicated when the domain object is nested. Also, technically, the data should remain the same and it should really be dealt with on rendering.

I'm wondering if I'm missing something and why this is not best done internally within GXT?

Anyone has any thought?



Caused by: com.google.gwt.core.client.JavaScriptException: (Error):
number: -2147467259
description:
at com.extjs.gxt.ui.client.core.XTemplate$.overwrite$(Native Method)
at com.extjs.gxt.ui.client.widget.ListView.refresh(ListView.java:278)
at com.extjs.gxt.ui.client.widget.ListView$1.storeDataChanged(ListView.java:453)
at com.extjs.gxt.ui.client.store.StoreListener.handleEvent(StoreListener.java:30)
at com.extjs.gxt.ui.client.store.StoreListener.handleEvent(StoreListener.java:1)
at com.extjs.gxt.ui.client.event.BaseObservable.fireEvent(BaseObservable.java:74)
at com.extjs.gxt.ui.client.store.ListStore.onLoad(ListStore.java:180)
at com.extjs.gxt.ui.client.store.ListStore$1.loaderLoad(ListStore.java:131)
at com.extjs.gxt.ui.client.event.LoadListener.handleEvent(LoadListener.java:24)
at com.extjs.gxt.ui.client.event.LoadListener.handleEvent(LoadListener.java:1)
at com.extjs.gxt.ui.client.event.BaseObservable.fireEvent(BaseObservable.java:74)
at com.extjs.gxt.ui.client.data.BasePagingLoader.onLoadSuccess(BasePagingLoader.java:88)
at com.extjs.gxt.ui.client.data.BasePagingLoader.onLoadSuccess(BasePagingLoader.java:1)
at com.extjs.gxt.ui.client.data.BaseLoader$1.onSuccess(BaseLoader.java:119)
at com.extjs.gxt.ui.client.data.RpcProxy$1.onSuccess(RpcProxy.java:33)
at com.google.gwt.user.client.rpc.impl.RequestCallbackAdapter.onResponseReceived(RequestCallbackAdapter.java:215)
at com.google.gwt.http.client.Request.fireOnResponseReceivedImpl(Request.java:254)
at com.google.gwt.http.client.Request.fireOnResponseReceivedAndCatch(Request.java:226)
at com.google.gwt.http.client.Request.fireOnResponseReceived(Request.java:217)

My guess is that most RIA library developers assume that you will whitelist html/js and sanitize it on the server side. At least, I think that's the proper way. I don't GXT/ExtJS should try to do that. I think they should act as "dumb views" and attempt render whatever comes their way.

Maybe I'm missing something. Should you feel the need to read more about this, you can read this forum posting here: http://extjs.com/forum/showthread.php?p=228640#post228640
Although, it deals with ExtJS the Javascript library, I believe the principles are the same.

Again, maybe I'm missing something or maybe I misunderstood your question.... but it's my understanding that it should be done on the server side.

-JP

Hmmm, I disagree here the proper way is for the toolkit to render the data for you properly.. or at least giving you sensible default behaviour with power to access the raw html.

In practical terms, what we also have here is the ability to share domain objects between server side and client side for display and manipulate data.

It's well and fine if all you need to do is create a webpage and display the content fetched from database.

If I need to manipulate the data fetched from the server side, I would want to preserve the state of the data as it is being fetched from the server. Allows user to edit/change and then send it all back to the server again. If I have parsed the html tag into &lt; and &gt; I would then need to reparsed it back when the data goes back to the server. It's error prone and alot of work for working around framework oddities.

An alternative would be to only store embeddable html safe data in the database - but why should my datastore be aware of my presentation nature?

Renderer is great for doing this kind of things but not all widgets can be safeguard this way.

I can see the benefit of the raw power of html tags, i.e, you can inject tag in label field and text field and grid quite easily but that power comes with a draw back here. The traditional view of things would be that the framework provide an api for you to format the display. With GXT, it provides programmer access to raw HTML injection - which is great sometimes but not all the time.

May be it could possibly belong to GWT RPC layer.. debatable but certainly putting these stuff in application layer is just silly.

BTW: post by Joeri in your link basically expressed the same view as I do. But yes there are other view.. i'm probably not too concern about XSS here - just plain laziness =)

Oh BTW: I think EXTJS has a lot more scope for serverside to parse the data for you.

With GXT and GWT-RPC, there isn't much to help you here. I have moderately complex set of nested objects and associations. Can you imagine my sever side code trying to traverse all possible data object to just parse them? Not pretty and practical at all..