jQuery: $('#message').text("Howdy"); ?

**stephen.friedrich** · 23 Sep 2009 4:49 AM

Isn't there an easy way to quickly create a single text node children of a matched element (removing any other child elements before)?

**Animal** · 23 Sep 2009 5:10 AM

Code:

Ext.get("message").update("howdy");

**stephen.friedrich** · 23 Sep 2009 5:20 AM

Thanks, indeed I missed that.
However isn't Element.update() a potential attack vector for XSS?

jQuery's text() function is much safer as it will only ever create a text node.

**Animal** · 23 Sep 2009 5:38 AM

Well!

Code:

Ext.override(Ext.Element, {
    text: function(t) {
        this.dom.innerHTML = '';
        this.dom.appendChild(document.createTextNode(t));
    }
});

Then

Code:

Ext.get("message").text("howdy");

**eTiger13** · 22 Oct 2009 12:28 PM

seems like a lot of things that should be in core have to be added in via the override. Kind of defeats have the core if its size is doubled just to bring in some basic stuff.

Animal, can't you just combine all the overrides you have posted in here and submit it to be added in a future release?

**TommyMaintz** · 23 Oct 2009 11:05 AM

The purpose of update() is to just to prevent having to use dom.innerHTML.

The argument that it would cause XSS vulnerabilities is non-valid since you have to prevent XSS attacks on the serverside by making sure the data is safe before you even send it back to the clientside. Trying to do security on the client-side is a lost cause. It means your already too late into the game to try and do anything seriously helpful.

Anyway, we will internally discuss if we should put the .text() method in. Its not too many bytes, and if it would help a lot of people then its definitely worth it. I've done many coding with Ext Core though, and I had never ever had a need for it. Really because you can use update() for both text and HTML!

**Animal** · 24 Oct 2009 12:49 AM

Originally Posted by eTiger13

seems like a lot of things that should be in core have to be added in via the override. Kind of defeats have the core if its size is doubled just to bring in some basic stuff.

Animal, can't you just combine all the overrides you have posted in here and submit it to be added in a future release?

There's a block of thing's I've added here: http://www.extjs.com/forum/showthrea...062#post395062

**eTiger13** · 26 Oct 2009 10:22 AM

Originally Posted by TommyMaintz

The purpose of update() is to just to prevent having to use dom.innerHTML.

The argument that it would cause XSS vulnerabilities is non-valid since you have to prevent XSS attacks on the serverside by making sure the data is safe before you even send it back to the clientside. Trying to do security on the client-side is a lost cause. It means your already too late into the game to try and do anything seriously helpful.

Anyway, we will internally discuss if we should put the .text() method in. Its not too many bytes, and if it would help a lot of people then its definitely worth it. I've done many coding with Ext Core though, and I had never ever had a need for it. Really because you can use update() for both text and HTML!

Does update() both get the text and set it? Does it work on input fields?

I just did a quick search to try and find the docs for update() but either I don't know where to look or its not easy to find. Where would I go to find that? API search didn't work, Google didn't work unless its buried.

**Animal** · 26 Oct 2009 10:32 PM

You can't find it because it's not there.

I just linked to a post where I showed you how to ADD it.

jQuery: $('#message').text("Howdy"); ?

Thread Tools

Search Thread

Display

Unanswered: jQuery: $('#message').text("Howdy"); ?

Unanswered: jQuery: $('#message').text("Howdy"); ?