-
Notifications
You must be signed in to change notification settings - Fork 339
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Form html entities not rendering as expected #335
Comments
Update to my previous post. I have decided to never encode html when storing in db, as this affects length and makes queries more difficult. But, I thought Thanks, |
You have the choice between making your client-side data strings encode some characters - and specifically On the client if you provide user editing of strings through data-linked inputs etc. then the choice is:
The converters can be the following:
Your post here made me look more closely at encoding and related XSS or other security issue when users can enter markup strings... I will post back here with an update on this... Note that the setting of content on a textarea or input is either through markup - in which case encoding of |
The next update will include the above encode and unencode converters, to facilitate secure approaches to inserting and removing HTML data from users/the server. Marking this as feature request. |
Thanks Boris, that will be much more convenient. |
Major update Breaking change - Templates declared in <div> or other non script element are not supported. (Throws with error message) Minor breaking changes - The {{range}} tag has been removed - replaced by {{for}} tag using built-in range features. See https://www.jsviews.com#jsvfortag@jsvsortfilterrange - Changed behavior of .setValue() API on custom tags. The .setValue() method is called even for undefined values. The .getValue() method is not called. Return false from setValue to not data-link a linked element. (e.g. jQuery UI slider). See https://www.jsviews.com#tagoptions@setvalue - {{tabs}} API changes: The selectedIndex property is renamed to the pane property. The tabCaption property is renamed to the caption property - Some changes to behavior/effect of the bindTo tag option - which is now associated with the new bindFrom tag option. See https://www.jsviews.com#tagoptions@bindto and https://www.jsviews.com#tagoptions@bindfrom Major feature improvements - The {{for}} tag now has built-in support for sort, filter, start and end. See https://www.jsviews.com#fortag@sortfilterrange - The {{props}} tag now has built-in support for sort, filter, start and end. See https://www.jsviews.com#propstag@sortfilterrange - New converters encode/unencode. See https://www.jsviews.com#convertersapi@encode - New tag options: bindFrom - together with tag option bindTo - provide improved features for custom tags. See https://www.jsviews.com#tagoptions@bindto and https://www.jsviews.com#tagoptions@bindfrom - New support for observing/unobserving contextual parameters. $.observe(tagOrView, "~foo", callback) - documentation to follow - New support for observing properties of any item in an array, using "array.[].*" or "array.[].foo" (or "array.[]^*", etc.) - documentation to follow - Late paths support: "@a.b.c" - documentation to follow - New support for getting a reference to a tag instance using {^{mytag this=~myTag}} - documentation to follow Minor feature improvements - Custom tag linkedElem can now target non-editable and contentEditable. See https://www.jsviews.com#bindingpatterns@linkedelem - New APIs added for tagCtx.ctxPrm(), tagCtx.cvtArgs() and tagCtx.bndArgs() even for non-data-linked tags - documentation to follow - The contentCtx option now works also for custom tag using render(), rather than a template. See https://www.jsviews.com#tagsapi@contentctx - In a template, ~tag.tagCtx.xxx can now be written ~tagCtx.xxx, and works correctly e.g. for data-linking using {{mytag}}{{else}}{{~tagCtx...}}{{/mytag}} - documentation to follow - ~tagCtx is now a reserved name like ~tag ~root ~parentTags... - On a custom tag, the bindTo option is not needed with 2-way linking to first argument - updateValue() now supports an async option: pass true for the fourth parameter, defer - updateValue(val, index, tagElse, tag, defer). - Documentation to follow - New debug:true option on a compiled template. See https://www.jsviews.com#d.templates@debug - New depends option on custom tags (see https://www.jsviews.com#tagoptions@depends) or an instance property {{someTag depends='a.b'}} or {{someTag depends=~someTagDependsArray}} - An error will be thrown if different versions of jsrender.js, jquery.observable.js and jquery.views.js are loaded together - DataMap, {{props}} and {{jsonview}} now include support for function properties too, unless opt out using {{props foo noFunctions=true}}. See https://www.jsviews.com#propstag@nofunctions - Support for nested {{for}} tags without iteration, and for then applying operations such as sorting to arrays in nexted context, as in {{for filter=... noIteration=true}}{{for sort=... noIteration=true}}{{for start=... end=...}}. See https://www.jsviews.com#fortag@itemvar Documentation - Extensive new documentation, especially on custom tag controls: See https://www.jsviews.com#jsvtagcontrols. For an example of a JsViews custom tag control see https://www.jsviews.com#samples/tag-controls/colorpicker Minor bug fixes, including: - a contentEditable bug for IE - a bug for data-linking to 'length' property. - a bug when a computed property 'depends' mixes data and contextual paths - a bug in jquery-1.x cleanData - a bug in move() arrayChange on {{for}} - Issue BorisMoore/jsviews#408 $.observe('ns', model.list, '[]^qty', handler);?? - Issue BorisMoore/jsviews#406 Weird data-linked `for` loop behaviour with deep observing after model update - Issue BorisMoore/jsviews#404 Props Convert else statement not working - Issue BorisMoore/jsviews#403 ~ operator support - Issue BorisMoore/jsviews#400 Move the tag property in views to before rendering, to enable "get current path" path scenario - Issue BorisMoore/jsviews#398 After DOM modifications to the child options of a data-linked select, the first option shows as selected - Issue BorisMoore/jsviews#397 {^{radiogroup value disabled=notEnabled}} is now supported - Issue BorisMoore/jsviews#198 Provide full documentation of custom tags using 2-way binding, binding to args or props etc. - Issue BorisMoore/jsviews#374 Wrong initial value shown (timespinner control) - Issue BorisMoore/jsrender#335 encode and unencode converters
Major update Breaking change - Templates declared in <div> or other non script element are not supported. (Throws with error message) Minor breaking changes - The {{range}} tag has been removed - replaced by {{for}} tag using built-in range features. See https://www.jsviews.com#jsvfortag@jsvsortfilterrange - Changed behavior of .setValue() API on custom tags. The .setValue() method is called even for undefined values. The .getValue() method is not called. Return false from setValue to not data-link a linked element. (e.g. jQuery UI slider). See https://www.jsviews.com#tagoptions@setvalue - {{tabs}} API changes: The selectedIndex property is renamed to the pane property. The tabCaption property is renamed to the caption property - Some changes to behavior/effect of the bindTo tag option - which is now associated with the new bindFrom tag option. See https://www.jsviews.com#tagoptions@bindto and https://www.jsviews.com#tagoptions@bindfrom Major feature improvements - The {{for}} tag now has built-in support for sort, filter, start and end. See https://www.jsviews.com#fortag@sortfilterrange - The {{props}} tag now has built-in support for sort, filter, start and end. See https://www.jsviews.com#propstag@sortfilterrange - New converters encode/unencode. See https://www.jsviews.com#convertersapi@encode - New tag options: bindFrom - together with tag option bindTo - provide improved features for custom tags. See https://www.jsviews.com#tagoptions@bindto and https://www.jsviews.com#tagoptions@bindfrom - New support for observing/unobserving contextual parameters. $.observe(tagOrView, "~foo", callback) - documentation to follow - New support for observing properties of any item in an array, using "array.[].*" or "array.[].foo" (or "array.[]^*", etc.) - documentation to follow - Late paths support: "@a.b.c" - documentation to follow - New support for getting a reference to a tag instance using {^{mytag this=~myTag}} - documentation to follow Minor feature improvements - Custom tag linkedElem can now target non-editable and contentEditable. See https://www.jsviews.com#bindingpatterns@linkedelem - New APIs added for tagCtx.ctxPrm(), tagCtx.cvtArgs() and tagCtx.bndArgs() even for non-data-linked tags - documentation to follow - The contentCtx option now works also for custom tag using render(), rather than a template. See https://www.jsviews.com#tagsapi@contentctx - In a template, ~tag.tagCtx.xxx can now be written ~tagCtx.xxx, and works correctly e.g. for data-linking using {{mytag}}{{else}}{{~tagCtx...}}{{/mytag}} - documentation to follow - ~tagCtx is now a reserved name like ~tag ~root ~parentTags... - On a custom tag, the bindTo option is not needed with 2-way linking to first argument - updateValue() now supports an async option: pass true for the fourth parameter, defer - updateValue(val, index, tagElse, tag, defer). - Documentation to follow - New debug:true option on a compiled template. See https://www.jsviews.com#d.templates@debug - New depends option on custom tags (see https://www.jsviews.com#tagoptions@depends) or an instance property {{someTag depends='a.b'}} or {{someTag depends=~someTagDependsArray}} - An error will be thrown if different versions of jsrender.js, jquery.observable.js and jquery.views.js are loaded together - DataMap, {{props}} and {{jsonview}} now include support for function properties too, unless opt out using {{props foo noFunctions=true}}. See https://www.jsviews.com#propstag@nofunctions - Support for nested {{for}} tags without iteration, and for then applying operations such as sorting to arrays in nexted context, as in {{for filter=... noIteration=true}}{{for sort=... noIteration=true}}{{for start=... end=...}}. See https://www.jsviews.com#fortag@itemvar Documentation - Extensive new documentation, especially on custom tag controls: See https://www.jsviews.com#jsvtagcontrols. For an example of a JsViews custom tag control see https://www.jsviews.com#samples/tag-controls/colorpicker Minor bug fixes, including: - a contentEditable bug for IE - a bug for data-linking to 'length' property. - a bug when a computed property 'depends' mixes data and contextual paths - a bug in jquery-1.x cleanData - a bug in move() arrayChange on {{for}} - Issue BorisMoore/jsviews#408 $.observe('ns', model.list, '[]^qty', handler);?? - Issue BorisMoore/jsviews#406 Weird data-linked `for` loop behaviour with deep observing after model update - Issue BorisMoore/jsviews#404 Props Convert else statement not working - Issue BorisMoore/jsviews#403 ~ operator support - Issue BorisMoore/jsviews#400 Move the tag property in views to before rendering, to enable "get current path" path scenario - Issue BorisMoore/jsviews#398 After DOM modifications to the child options of a data-linked select, the first option shows as selected - Issue BorisMoore/jsviews#397 {^{radiogroup value disabled=notEnabled}} is now supported - Issue BorisMoore/jsviews#198 Provide full documentation of custom tags using 2-way binding, binding to args or props etc. - Issue BorisMoore/jsviews#374 Wrong initial value shown (timespinner control) - Issue BorisMoore/jsrender#335 encode and unencode converters
Major update Breaking change - Templates declared in <div> or other non script element are not supported. (Throws with error message) Minor breaking changes - The {{range}} tag has been removed - replaced by {{for}} tag using built-in range features. See https://www.jsviews.com#jsvfortag@jsvsortfilterrange Major feature improvements - The {{for}} tag now has built-in support for sort, filter, start and end. See https://www.jsviews.com#fortag@sortfilterrange - The {{props}} tag now has built-in support for sort, filter, start and end. See https://www.jsviews.com#propstag@sortfilterrange - New converters encode/unencode. See https://www.jsviews.com#convertersapi@encode - New tag options: bindFrom - together with tag option bindTo - provide improved features for custom tags. See https://www.jsviews.com#tagoptions@bindto and https://www.jsviews.com#tagoptions@bindfrom Minor feature improvements - New APIs added for tagCtx.ctxPrm(), tagCtx.cvtArgs() and tagCtx.bndArgs() even for non-data-linked tags - documentation to follow - The contentCtx option now works also for custom tag using render(), rather than a template. See https://www.jsviews.com#tagsapi@contentctx - In a template, ~tag.tagCtx.xxx can now be written ~tagCtx.xxx, and works correctly e.g. for data-linking using {{mytag}}{{else}}{{~tagCtx...}}{{/mytag}} - documentation to follow - ~tagCtx is now a reserved name like ~tag ~root ~parentTags... - New debug:true option on a compiled template. See https://www.jsviews.com#d.templates@debug - An error will be thrown if different versions of jsrender.js, jquery.observable.js and jquery.views.js are loaded together - DataMap, {{props}} and {{jsonview}} now include support for function properties too, unless opt out using {{props foo noFunctions=true}}. See https://www.jsviews.com#propstag@nofunctions - Support for nested {{for}} tags without iteration, and for then applying operations such as sorting to arrays in nexted context, as in {{for filter=... noIteration=true}}{{for sort=... noIteration=true}}{{for start=... end=...}}. See https://www.jsviews.com#fortag@itemvar Documentation - Extensive new documentation, especially on custom tag controls: See https://www.jsviews.com#jsvtagcontrols. For an example of a JsViews custom tag control see https://www.jsviews.com#samples/tag-controls/colorpicker Minor bug fixes, including: - a contentEditable bug for IE - a bug in jquery-1.x cleanData - Issue BorisMoore/jsviews#404 Props Convert else statement not working - Issue BorisMoore/jsviews#403 ~ operator support - Issue BorisMoore/jsviews#400 Move the tag property in views to before rendering, to enable "get current path" path scenario - Issue #335 encode and unencode converters
Major update Breaking change - Templates declared in <div> or other non script element are not supported. (Throws with error message) Minor breaking changes - The {{range}} tag has been removed - replaced by {{for}} tag using built-in range features. See https://www.jsviews.com#jsvfortag@jsvsortfilterrange - Changed behavior of .setValue() API on custom tags. The .setValue() method is called even for undefined values. The .getValue() method is not called. Return false from setValue to not data-link a linked element. (e.g. jQuery UI slider). See https://www.jsviews.com#tagoptions@setvalue - {{tabs}} API changes: The selectedIndex property is renamed to the pane property. The tabCaption property is renamed to the caption property - Some changes to behavior/effect of the bindTo tag option - which is now associated with the new bindFrom tag option. See https://www.jsviews.com#tagoptions@bindto and https://www.jsviews.com#tagoptions@bindfrom Major feature improvements - The {{for}} tag now has built-in support for sort, filter, start and end. See https://www.jsviews.com#fortag@sortfilterrange - The {{props}} tag now has built-in support for sort, filter, start and end. See https://www.jsviews.com#propstag@sortfilterrange - New converters encode/unencode. See https://www.jsviews.com#convertersapi@encode - New tag options: bindFrom - together with tag option bindTo - provide improved features for custom tags. See https://www.jsviews.com#tagoptions@bindto and https://www.jsviews.com#tagoptions@bindfrom - New support for observing/unobserving contextual parameters. $.observe(tagOrView, "~foo", callback) - documentation to follow - New support for observing properties of any item in an array, using "array.[].*" or "array.[].foo" (or "array.[]^*", etc.) - documentation to follow - Late paths support: "@a.b.c" - documentation to follow - New support for getting a reference to a tag instance using {^{mytag this=~myTag}} - documentation to follow Minor feature improvements - Custom tag linkedElem can now target non-editable and contentEditable. See https://www.jsviews.com#bindingpatterns@linkedelem - New APIs added for tagCtx.ctxPrm(), tagCtx.cvtArgs() and tagCtx.bndArgs() even for non-data-linked tags - documentation to follow - The contentCtx option now works also for custom tag using render(), rather than a template. See https://www.jsviews.com#tagsapi@contentctx - In a template, ~tag.tagCtx.xxx can now be written ~tagCtx.xxx, and works correctly e.g. for data-linking using {{mytag}}{{else}}{{~tagCtx...}}{{/mytag}} - documentation to follow - ~tagCtx is now a reserved name like ~tag ~root ~parentTags... - On a custom tag, the bindTo option is not needed with 2-way linking to first argument - updateValue() now supports an async option: pass true for the fourth parameter, defer - updateValue(val, index, tagElse, tag, defer). - Documentation to follow - New debug:true option on a compiled template. See https://www.jsviews.com#d.templates@debug - New depends option on custom tags (see https://www.jsviews.com#tagoptions@depends) or an instance property {{someTag depends='a.b'}} or {{someTag depends=~someTagDependsArray}} - An error will be thrown if different versions of jsrender.js, jquery.observable.js and jquery.views.js are loaded together - DataMap, {{props}} and {{jsonview}} now include support for function properties too, unless opt out using {{props foo noFunctions=true}}. See https://www.jsviews.com#propstag@nofunctions - Support for nested {{for}} tags without iteration, and for then applying operations such as sorting to arrays in nexted context, as in {{for filter=... noIteration=true}}{{for sort=... noIteration=true}}{{for start=... end=...}}. See https://www.jsviews.com#fortag@itemvar Documentation - Extensive new documentation, especially on custom tag controls: See https://www.jsviews.com#jsvtagcontrols. For an example of a JsViews custom tag control see https://www.jsviews.com#samples/tag-controls/colorpicker Minor bug fixes, including: - a contentEditable bug for IE - a bug for data-linking to 'length' property. - a bug when a computed property 'depends' mixes data and contextual paths - a bug in jquery-1.x cleanData - a bug in move() arrayChange on {{for}} - Issue #408 $.observe('ns', model.list, '[]^qty', handler);?? - Issue #406 Weird data-linked `for` loop behaviour with deep observing after model update - Issue #404 Props Convert else statement not working - Issue #403 ~ operator support - Issue #400 Move the tag property in views to before rendering, to enable "get current path" path scenario - Issue #398 After DOM modifications to the child options of a data-linked select, the first option shows as selected - Issue #397 {^{radiogroup value disabled=notEnabled}} is now supported - Issue #198 Provide full documentation of custom tags using 2-way binding, binding to args or props etc. - Issue #374 Wrong initial value shown (timespinner control) - Issue BorisMoore/jsrender#335 encode and unencode converters
This has been fixed in release v0.9.91. |
<input type="text" value="x<y" />
<textarea>x<y</textarea>
The two above standard html input or textarea render html entities values as x<y
If I data-link input or textarea then these render as
x<y
(not expected).val="
x<y
"<input type="text" data-link="val" />
or<input type="text" data-link="{:val}" />
<textarea data-link="val"></textarea>
I tried using a converter using $.parseHTML()...but that returns an object which cannot be used.
Is this by design or am I simply missing something?
Is there anyway to render html entities like x<y without attaching a html editing widget (which is overkill here)?
Thanks
The text was updated successfully, but these errors were encountered: