200389 – Link widget allows every html tag

Bug 200389 - Link widget allows every html tag

Summary: Link widget allows every html tag

Status:	RESOLVED FIXED

Alias:	None

Product:	RAP
Classification:	RT
Component:	RWT (show other bugs)
Version:	1.0
Hardware:	PC All

Importance:	P3 normal (vote)
Target Milestone:	1.0.1
Assignee:	Mariot Chauvin
QA Contact:

URL:
Whiteboard:	r2d2
Keywords:	bugday

Duplicates (1):	200392 (view as bug list)
Depends on:
Blocks:

Reported:	2007-08-17 12:17 EDT by Benjamin Muskalla
Modified:	2008-09-24 05:47 EDT (History)
CC List:	2 users (show)

See Also:

Attachments
escape html tags other than <a>, </a> and <a * (3.71 KB, patch) 2007-08-31 23:35 EDT, Mariot Chauvin	no flags	Details \| Diff
Unit test that should be passed when escaping text (3.38 KB, patch) 2007-09-05 17:21 EDT, Rüdiger Herrmann	no flags	Details \| Diff
escape html tags (1.04 KB, patch) 2007-09-15 08:49 EDT, Mariot Chauvin	jkrause: iplog+	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Benjamin Muskalla

2007-08-17 12:17:57 EDT

Link widget should only allow <a> tags and should escape everything else.

Comment 1 Rüdiger Herrmann

2007-08-27 14:11:17 EDT

*** Bug 200392 has been marked as a duplicate of this bug. ***

Comment 2 Mariot Chauvin

2007-08-31 06:43:51 EDT

If I had time, I am interested to work on this bug for the next eclipse bug day (31 august). Is it ok ?

Comment 3 Mariot Chauvin

2007-08-31 06:45:46 EDT

(In reply to comment #2)
> If I had time, I am interested to work on this bug for the next eclipse bug day
> (31 august). Is it ok ?
> 

*have

Comment 4 Benjamin Muskalla

2007-08-31 08:23:48 EDT

Sure. You're welcome to contribute patches :-) If you have any problems, don't hesitate to ask here or on the newsgroup.

Comment 5 Mariot Chauvin

2007-08-31 23:35:14 EDT

Created attachment 77526 [details]
escape html tags other than <a>,  </a> and <a *

It is not clearly perfect, i need to still work on it.
however could someone review to see if I am on the goodway ?

Comment 6 Rüdiger Herrmann

2007-09-05 17:20:35 EDT

Thanks a lot for the path, but I am sorry to say that you are on the wrong path.
Directly manipulating the value passed to setText() violates the condition that getText() must return this value as is. Link_Test#textText and #testAdapter ensure this behaviour and would fail with youpath applied.
The escaping should rather be done in LinkLCA as this is the mediator between server and client. Have a look at LinkLCA#writeNormalText and #writeLinkText.It shluld suffice to just escape the text that is passed in these methods.
If you are lucky you can even use WidgetLCAUtil#escapeText(String,boolean).
I will attach a s test case.

Comment 7 Rüdiger Herrmann

2007-09-05 17:21:56 EDT

Created attachment 77755 [details]
Unit test that should be passed when escaping text

Comment 8 Mariot Chauvin

2007-09-06 05:56:30 EDT

Thanks for the infos, tips, and the JUnit test. I will have a look on this tomorrow and provide a new patch.

Comment 9 Mariot Chauvin

2007-09-15 08:49:18 EDT

Created attachment 78497 [details]
escape html tags

This patch escapes html tags with WidgetLCAUtil#escapeText(String,boolean).
It fails the test case, because the test case checks if the text between not allowed markups (like "script") is removed. I think it's not necessary and that escape html should suffice.

Comment 10 Ralf Sternberg

2007-10-16 07:09:27 EDT

Sorry for the delay, there was just too much workload in the last time.
Your second patch is ok but I changed the mnemonics parameter to true, because the SWT Link widget indeed respects mnemonics. Tests are all green.
Thank you for participating, I hope you continue and have fun.