PDA

View Full Version : Updating a component doesn't properly escape text



arueckert
15 Jul 2011, 1:09 PM
Sencha Touch version tested:

1.1.0

only default ext-all.css


Platform tested against:

Platform Independant


Description:

When updating a template-less Component with an object, text members are not properly escaped to be an HTML attribute.


Test Case:



Ext.setup({
onReady: function() {
var p = new Ext.Panel({
fullscreen: true,
layout: 'hbox',
items: [
{
xtype: 'button',
text: 'OK'
}
]
});
var obj = {
name: '\">Johnny Tables',
bio: 'tends to break things'
};
p.show();
p.update(obj);
}
});


The result that was expected:

Object created looks like: <div name="\">Johnny_Tables" bio="tends to break things"></div>
OR
Object created looks like: <div name="&quot;&gt;Johnny_Tables" bio="tends to break things"></div>


The result that occurs instead:

Object created looks like: <div name="">Johnny_Tables" bio="tends to break things"&gt;</div>


Screenshot or Video:

http://i.imgur.com/oHgh4.png


Debugging already done:

none


Possible fix:

Backslash-escape all quotes, newlines, backslashes, etc.
"htmlspecialchars" encode all text in html attributes in created objects.