[GXT 3.0.0 beta 3] Bug in TriggerFieldDefaultAppearance

[tedyoung]

In GXT 3.0.0-beta3, there appears to be a bug in TriggerFieldDefaultAppearance.render() if the value contains a single-quote. The problem is that the value text is not HTML escaped, so when the value

Workers' Comp Group

is concatenated in line 187:

String input = "<input name='" + name + "' " + ro + " style='" + inputStyles + "' type='text' value='" + value + "' class='" + cls + "'/>";

You may end up with HTML that looks like this:

<input name='null' style='width:125px;' type='text' value='Workers' Comp Group' class='GA0P54ODMY GA0P54ODD-'/>

Which is invalid.

;ted

[Colin Alworth]

Thanks, looks like the name property is also susceptable to issues here. We'll probably wrap this in a template, or find some other way to build it as a safe html string, escaping the things that need it.

[Colin Alworth]

This has been fixed in SVN.

A note on the changes we've made - we didn't use a template in this case, as there isn't a way to not draw html attributes based on the value, and html inputs interpret the readonly attribute as being active if it is set at all. As such, this is still a fairly stringy way of putting the whole thing together, but should be easier to understand and make sure it is correct than before.

[WesleyMoy]

The fix for this bug has been included in the public release of Sencha GXT 3.0.0. Please try your test case again with this release. Although we're confident that this issue has been resolved, please reply here (or start a new bug thread linking to this one) if you continue to notice issues.