1. #1
    Sencha Premium Member
    Join Date
    Apr 2007
    Posts
    65
    Vote Rating
    1
    Hani is on a distinguished road

      0  

    Default [CLOSED] ComboBox html encoding

    [CLOSED] ComboBox html encoding


    If I have an item inside of my combo box with '&' in it, it's shown correctly.

    However, once that item is selected, the combobox value displays & instead.

    I could manually htmlunencode the value, but the extra encoding isn't needed, surely?

  2. #2
    Ext User
    Join Date
    Apr 2007
    Location
    Alexandria, VA
    Posts
    12
    Vote Rating
    0
    suntoast is on a distinguished road

      0  

    Default


    Bump

    Anyone have a fix for this?

  3. #3
    Sencha - Community Support Team jsakalos's Avatar
    Join Date
    Apr 2007
    Location
    Slovakia
    Posts
    27,527
    Vote Rating
    379
    jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future

      0  

    Default


    I was trying to put some &'s in my combos (Ext 1.1 and also Ext svn 876) but I was not able to reproduce it.

    Do you have a link where I could see it?
    Jozef Sakalos, aka Saki

    Education, extensions and services for developers at new http://extjs.eu
    News: Grid Search Plugin, ExtJS 5 Complex Data Binding using MVVM


  4. #4
    Ext User
    Join Date
    Apr 2007
    Location
    Alexandria, VA
    Posts
    12
    Vote Rating
    0
    suntoast is on a distinguished road

      0  

    Default


    It happens when you htmlEncode the strings on the way down (in case the user put html into the strings

    I can't put up a public page, but you can reproduce it pretty easily.

    If you go to:
    http://extjs.com/deploy/ext/examples/form/combos.html
    (or if you have a local build)
    C:\apps\www\deploy\ext-2.0\examples\form\combos.html

    In the states.js file in that directory, instead of

    Code:
    Ext.exampledata.states = [
            ['AL', 'Alabama'],
            ['AK', 'Alaska'],
            ['AZ', 'Arizona']
    ]
    do:

    Code:
    Ext.exampledata.states = [
            ['AL', 'Alabama & test'],
            ['AK', 'Alaska'],
            ['AZ', 'Arizona']
    ]
    You'll notice it looks right in the dropdown text... but not right once it's been selected.

  5. #5
    Sencha - Community Support Team jsakalos's Avatar
    Join Date
    Apr 2007
    Location
    Slovakia
    Posts
    27,527
    Vote Rating
    379
    jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future jsakalos has a brilliant future

      0  

    Default


    What should then be shown for ['AL', 'Alabama & test']? & or & ?
    Jozef Sakalos, aka Saki

    Education, extensions and services for developers at new http://extjs.eu
    News: Grid Search Plugin, ExtJS 5 Complex Data Binding using MVVM


  6. #6
    Ext User
    Join Date
    Apr 2007
    Location
    Alexandria, VA
    Posts
    12
    Vote Rating
    0
    suntoast is on a distinguished road

      0  

    Default


    I'd expect to see Alabama & test, which is what we would post back to the server and would stick in the database.

    Reason for needing to htmlEncode the strings is that a user might enter <h1>Alabama</h1> into a text field, and we'll save it to the database. When it comes out, it needs to not mess with the html of the page.

    If we don't htmlEncode it, then inside the Ext combo box, that "option" will have a real H1 stuck into it, which will mess up the display.

    Ideally we would have a new option for Ext.form.ComboBox that will unHtmlEncode before setting the value of the textbox. That way people expecting the current behavior won't have any problems.

    unHtmlEncode() has been mixed into String in prototype.js, though I don't see a similar function in Ext.

    If that method existed, could do something like:

    Code:
    setValue : function(v){
            var text = v;
            if(this.valueField){
                var r = this.findRecord(this.valueField, v);
                if(r){
                    text = r.data[this.displayField];
                }else if(this.valueNotFoundText !== undefined){
                    text = this.valueNotFoundText;
                }
            }
            this.lastSelectionText = text;
    
            if(this.hiddenField){
                this.hiddenField.value = v;
            }
            
             // new code here
             if (this.unEscapeValue) {
                text = text.unescapeHTML();
            }
    
            Ext.form.ComboBox.superclass.setValue.call(this, text);
            this.value = v;
        },
    If you don't think this is useful for everyone, we can roll that solution for ourselves, but htmlEncoding data that a customer might edit is a normally a "good thing".

  7. #7
    Sencha - Community Support Team mystix's Avatar
    Join Date
    Mar 2007
    Location
    Singapore
    Posts
    6,236
    Vote Rating
    5
    mystix will become famous soon enough

      0  

    Default


    values in an Ext.data.Record should always be the actual value pulled from / going into the backend database i.e. 'Alabama & test', and not the htmlEncode-ed value used for display i.e. 'Alabama &amp; test'.

    once this is straightened out, all that is needed is to correctly handle html entities when displaying data. in the case of the ComboBox, all you'll need is an Ext.Template like so:
    http://extjs.com/forum/showthread.php?t=11113

  8. #8
    Ext Premium Member
    Join Date
    Jun 2007
    Posts
    2
    Vote Rating
    0
    pejsajan is on a distinguished road

      0  

    Default ComboBox component can cause XSS

    ComboBox component can cause XSS


    ComboBox component can cause XSS.

    Try example from examples direcotory examples/form/combos.html and in file states.js change code to:

    Code:
    Ext.exampledata.states = [
      ['AL', 'Alabama <b>bold</b><img scr=xss onerror=alert("xss")>', 'The Heart of Dixie'],
      ...
    Than run this example in Firefox and expand the list of ComboBox. Javascript alert with test "XSS" appears (XSS vulnerability).

    Also ComboBox list and ComboBox selected value is not consistent when some evil characters are in data. How can I solve this?

  9. #9
    Sencha - Community Support Team mystix's Avatar
    Join Date
    Mar 2007
    Location
    Singapore
    Posts
    6,236
    Vote Rating
    5
    mystix will become famous soon enough

      0  

    Default


    this has been discussed many times before.

    as mentioned 1 post up:
    http://extjs.com/forum/showthread.php?t=11113

    try that.

    [edit]
    and these too:
    http://www.google.com/cse?cx=0116939...utf-8&oe=utf-8

  10. #10
    Ext Premium Member
    Join Date
    Jun 2007
    Posts
    2
    Vote Rating
    0
    pejsajan is on a distinguished road

      0  

    Default


    thanks