PDA

View Full Version : jQuery: $('#message').text("Howdy"); ?



stephen.friedrich
23 Sep 2009, 4:49 AM
Isn't there an easy way to quickly create a single text node children of a matched element (removing any other child elements before)?

Animal
23 Sep 2009, 5:10 AM
Ext.get("message").update("howdy");

stephen.friedrich
23 Sep 2009, 5:20 AM
Thanks, indeed I missed that.
However isn't Element.update() a potential attack vector for XSS?

jQuery's text() function is much safer as it will only ever create a text node.

Animal
23 Sep 2009, 5:38 AM
Well!



Ext.override(Ext.Element, {
text: function(t) {
this.dom.innerHTML = '';
this.dom.appendChild(document.createTextNode(t));
}
});


Then



Ext.get("message").text("howdy");

eTiger13
22 Oct 2009, 12:28 PM
seems like a lot of things that should be in core have to be added in via the override. Kind of defeats have the core if its size is doubled just to bring in some basic stuff.

Animal, can't you just combine all the overrides you have posted in here and submit it to be added in a future release?

TommyMaintz
23 Oct 2009, 11:05 AM
The purpose of update() is to just to prevent having to use dom.innerHTML.

The argument that it would cause XSS vulnerabilities is non-valid since you have to prevent XSS attacks on the serverside by making sure the data is safe before you even send it back to the clientside. Trying to do security on the client-side is a lost cause. It means your already too late into the game to try and do anything seriously helpful.

Anyway, we will internally discuss if we should put the .text() method in. Its not too many bytes, and if it would help a lot of people then its definitely worth it. I've done many coding with Ext Core though, and I had never ever had a need for it. Really because you can use update() for both text and HTML!

Animal
24 Oct 2009, 12:49 AM
seems like a lot of things that should be in core have to be added in via the override. Kind of defeats have the core if its size is doubled just to bring in some basic stuff.

Animal, can't you just combine all the overrides you have posted in here and submit it to be added in a future release?

There's a block of thing's I've added here: http://www.extjs.com/forum/showthread.php?p=395062#post395062

eTiger13
26 Oct 2009, 10:22 AM
The purpose of update() is to just to prevent having to use dom.innerHTML.

The argument that it would cause XSS vulnerabilities is non-valid since you have to prevent XSS attacks on the serverside by making sure the data is safe before you even send it back to the clientside. Trying to do security on the client-side is a lost cause. It means your already too late into the game to try and do anything seriously helpful.

Anyway, we will internally discuss if we should put the .text() method in. Its not too many bytes, and if it would help a lot of people then its definitely worth it. I've done many coding with Ext Core though, and I had never ever had a need for it. Really because you can use update() for both text and HTML!

Does update() both get the text and set it? Does it work on input fields?

I just did a quick search to try and find the docs for update() but either I don't know where to look or its not easy to find. Where would I go to find that? API search didn't work, Google didn't work unless its buried.

Animal
26 Oct 2009, 10:32 PM
You can't find it because it's not there.

I just linked to a post where I showed you how to ADD it.