PDA

View Full Version : Escaped text in textfields: JsEXT behaves different



wuschba
18 Aug 2008, 12:41 AM
Hello!

I'm discovering a different behaviour between html-textfields and jsext-textfields.

Normally you are using the php-method htmlspecialchars to escape something you put into a textfield to prevent attacks like cross-side-scripting. So when someone enters a html-tag like <a href=" it will be converted to &gt;a href=\"

When you put such a string into a html-textfield, you will see the right text again: <a href="

When you put such a string into a jsext-textfield, you will still see the escaped text: &gt;a href=\"


Is this be design or is this a bug? Is there a way to make a jsext-textfield behave like a html-textfield in that context? Of course you could just escape the " and ' for jsext-textfields, but it would avoid the risk of mixing up what do escape when if there is a unique method for it for html- and jsext-textfields.

Condor
18 Aug 2008, 12:53 AM
With a normal HTML input you fill the text attribute (and attributes need to be escaped).
An Ext.form.TextField sets the text attribute using javascript (no escaping needed).

You can always convert to/from HTML by using Ext.util.Format.htmlEncode/htmlDecode, e.g.


new Ext.Viewport({
layout: 'fit',
items: [{
xtype: 'form',
items: [{
xtype: 'textfield',
value: Ext.util.Format.htmlEncode('<a href="#">Link</a>')
}]
}]
});