Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Form html entities not rendering as expected #335

Closed
alnico2001 opened this issue Mar 23, 2018 · 5 comments
Closed

Form html entities not rendering as expected #335

alnico2001 opened this issue Mar 23, 2018 · 5 comments
Labels
Feature request Planned for V1.1 Resolved

Comments

@alnico2001
Copy link

<input type="text" value="x&lt;y" />
<textarea>x&lt;y</textarea>

The two above standard html input or textarea render html entities values as x<y

If I data-link input or textarea then these render as x&lt;y (not expected).

val="x&lt;y"
<input type="text" data-link="val" /> or <input type="text" data-link="{:val}" />
<textarea data-link="val"></textarea>

I tried using a converter using $.parseHTML()...but that returns an object which cannot be used.

Is this by design or am I simply missing something?

Is there anyway to render html entities like x<y without attaching a html editing widget (which is overkill here)?

Thanks
@alnico2001
Copy link
Author

alnico2001 commented Mar 25, 2018
edited
Loading

Update to my previous post. I have decided to never encode html when storing in db, as this affects length and makes queries more difficult. But, I thought x&lt;y would render the same using data-link like a plain input/textarea element...x<y...I guess we would need something like data-link="{{>data}}" for it to render that way.

Thanks,

@BorisMoore
Copy link
Owner

BorisMoore commented Mar 25, 2018
edited
Loading

You have the choice between making your client-side data strings encode some characters - and specifically <, >, & - or not. If you decide to encode those characters then you have the separate question of whether to encode them also on the server (and if not, then you will need to unencode when sending to the server, and encode again when fetching).

On the client if you provide user editing of strings through data-linked inputs etc. then the choice is:

  • Don't encode, but never use {^{:someValue}} to display strings. Instead use {^{>someValue}} or <span data-link="someValue">, or for two-way: <input data-link="someValue"/>, for example...
  • Encode, and use {^{:someValue}} or <span data-link="{unencode:someValue}" or <input data-link="{unencode:someValue:encode"/>, etc.

The converters can be the following:

$.views.converters({
  encode: function dataEncode(text) {
    // Encode just < > and & - intended for 'safe data' along with {{:}} rather than {{>}}
    return text != undefined ? text.replace(/[&<>]/g, function(token) { 
      return encodeEnts[token]; 
    }) : "";
  },

  unencode: function(text) {
  // Unencode just < > and & - intended for 'safe data' along with {{:}} rather than {{>}}
  return text != undefined ? text.replace(/&(amp|gt|lt);/g, function(match, token) { 
    return unencodeEnts[token]; 
  }) : "";
  }
});

Your post here made me look more closely at encoding and related XSS or other security issue when users can enter markup strings... I will post back here with an update on this...

Note that the setting of content on a textarea or input is either through markup - in which case encoding of > etc. is required: <input value="&gt;"/> or programmatic in which case you are not within HTML markup, so setting input.value = ">" is correct, and using the HTML character entity is incorrect.

@BorisMoore
Copy link
Owner

The next update will include the above encode and unencode converters, to facilitate secure approaches to inserting and removing HTML data from users/the server. Marking this as feature request.

@alnico2001
Copy link
Author

Thanks Boris, that will be much more convenient.

BorisMoore added a commit to BorisMoore/jsviews.com that referenced this issue Sep 21, 2018
@BorisMoore
Commit 91 (v0.9.91 - Beta)
f59020f 
Major update

Breaking change

- Templates declared in <div> or other non script element are not
  supported. (Throws with error message)

Minor breaking changes

- The {{range}} tag has been removed - replaced by {{for}} tag using
  built-in range features. See https://www.jsviews.com#jsvfortag@jsvsortfilterrange

- Changed behavior of .setValue() API on custom tags. The .setValue()
  method is called even for undefined values. The .getValue() method
  is not called. Return false from setValue to not data-link a linked
  element. (e.g. jQuery UI slider). See https://www.jsviews.com#tagoptions@setvalue

- {{tabs}} API changes: The selectedIndex property is renamed to the
  pane property. The tabCaption property is renamed to the caption
  property

- Some changes to behavior/effect of the bindTo tag option - which is
  now associated with the new bindFrom tag option.
  See https://www.jsviews.com#tagoptions@bindto and https://www.jsviews.com#tagoptions@bindfrom

Major feature improvements

- The {{for}} tag now has built-in support for sort, filter, start and
  end. See https://www.jsviews.com#fortag@sortfilterrange

- The {{props}} tag now has built-in support for sort, filter, start
  and end. See https://www.jsviews.com#propstag@sortfilterrange

- New converters encode/unencode. See https://www.jsviews.com#convertersapi@encode

- New tag options: bindFrom - together with tag option bindTo - provide
  improved features for custom tags.
  See https://www.jsviews.com#tagoptions@bindto and https://www.jsviews.com#tagoptions@bindfrom

- New support for observing/unobserving contextual parameters.
  $.observe(tagOrView, "~foo", callback) - documentation to follow

- New support for observing properties of any item in an array, using
  "array.[].*" or "array.[].foo" (or "array.[]^*", etc.) - documentation to follow

- Late paths support: "@a.b.c" - documentation to follow

- New support for getting a reference to a tag instance using
  {^{mytag this=~myTag}} - documentation to follow

Minor feature improvements

- Custom tag linkedElem can now target non-editable and contentEditable.
  See https://www.jsviews.com#bindingpatterns@linkedelem

- New APIs added for tagCtx.ctxPrm(), tagCtx.cvtArgs() and
  tagCtx.bndArgs() even for non-data-linked tags - documentation to follow

- The contentCtx option now works also for custom tag using render(),
  rather than a template. See https://www.jsviews.com#tagsapi@contentctx

- In a template, ~tag.tagCtx.xxx can now be written ~tagCtx.xxx,
  and works correctly e.g. for data-linking using
  {{mytag}}{{else}}{{~tagCtx...}}{{/mytag}} - documentation to follow

- ~tagCtx is now a reserved name like ~tag ~root ~parentTags...

- On a custom tag, the bindTo option is not needed with 2-way linking
  to first argument

- updateValue() now supports an async option: pass true for the fourth
  parameter, defer - updateValue(val, index, tagElse, tag, defer).
  - Documentation to follow

- New debug:true option on a compiled template.
  See https://www.jsviews.com#d.templates@debug

- New depends option on custom tags (see https://www.jsviews.com#tagoptions@depends)
  or an instance property {{someTag depends='a.b'}} or
  {{someTag depends=~someTagDependsArray}}

- An error will be thrown if different versions of jsrender.js,
  jquery.observable.js and  jquery.views.js are loaded together

- DataMap, {{props}} and {{jsonview}} now include support for function
  properties too, unless opt out using {{props foo noFunctions=true}}.
  See https://www.jsviews.com#propstag@nofunctions

- Support for nested {{for}} tags without iteration, and for then
  applying operations such as sorting to arrays in nexted context, as in
  {{for filter=... noIteration=true}}{{for sort=... noIteration=true}}{{for start=...  end=...}}.
  See https://www.jsviews.com#fortag@itemvar

Documentation

- Extensive new documentation, especially on custom tag controls:
  See https://www.jsviews.com#jsvtagcontrols. For an example of a JsViews
  custom tag control see https://www.jsviews.com#samples/tag-controls/colorpicker

Minor bug fixes, including:

- a contentEditable bug for IE

- a bug for data-linking to 'length' property.

- a bug when a computed property 'depends' mixes data and contextual paths

- a bug in jquery-1.x cleanData

- a bug in move() arrayChange on {{for}}

- Issue BorisMoore/jsviews#408
  $.observe('ns', model.list, '[]^qty', handler);??

- Issue BorisMoore/jsviews#406
  Weird data-linked `for` loop behaviour with deep observing after model update

- Issue BorisMoore/jsviews#404
  Props Convert else statement not working

- Issue BorisMoore/jsviews#403
  ~ operator support

- Issue BorisMoore/jsviews#400
  Move the tag property in views to before rendering, to enable "get current path" path scenario

- Issue BorisMoore/jsviews#398
  After DOM modifications to the child options of a data-linked select, the first option shows as selected

- Issue BorisMoore/jsviews#397
  {^{radiogroup value disabled=notEnabled}} is now supported

- Issue BorisMoore/jsviews#198
  Provide full documentation of custom tags using 2-way binding, binding to args or props etc.

- Issue BorisMoore/jsviews#374
  Wrong initial value shown (timespinner control)

- Issue BorisMoore/jsrender#335
  encode and unencode converters
BorisMoore added a commit to BorisMoore/jsviews.com that referenced this issue Sep 21, 2018
@BorisMoore
Commit 91 (v0.9.91 - Beta)
9125a97 
Major update

Breaking change

- Templates declared in <div> or other non script element are not
  supported. (Throws with error message)

Minor breaking changes

- The {{range}} tag has been removed - replaced by {{for}} tag using
  built-in range features. See https://www.jsviews.com#jsvfortag@jsvsortfilterrange

- Changed behavior of .setValue() API on custom tags. The .setValue()
  method is called even for undefined values. The .getValue() method
  is not called. Return false from setValue to not data-link a linked
  element. (e.g. jQuery UI slider). See https://www.jsviews.com#tagoptions@setvalue

- {{tabs}} API changes: The selectedIndex property is renamed to the
  pane property. The tabCaption property is renamed to the caption
  property

- Some changes to behavior/effect of the bindTo tag option - which is
  now associated with the new bindFrom tag option.
  See https://www.jsviews.com#tagoptions@bindto and https://www.jsviews.com#tagoptions@bindfrom

Major feature improvements

- The {{for}} tag now has built-in support for sort, filter, start and
  end. See https://www.jsviews.com#fortag@sortfilterrange

- The {{props}} tag now has built-in support for sort, filter, start
  and end. See https://www.jsviews.com#propstag@sortfilterrange

- New converters encode/unencode. See https://www.jsviews.com#convertersapi@encode

- New tag options: bindFrom - together with tag option bindTo - provide
  improved features for custom tags.
  See https://www.jsviews.com#tagoptions@bindto and https://www.jsviews.com#tagoptions@bindfrom

- New support for observing/unobserving contextual parameters.
  $.observe(tagOrView, "~foo", callback) - documentation to follow

- New support for observing properties of any item in an array, using
  "array.[].*" or "array.[].foo" (or "array.[]^*", etc.) - documentation to follow

- Late paths support: "@a.b.c" - documentation to follow

- New support for getting a reference to a tag instance using
  {^{mytag this=~myTag}} - documentation to follow

Minor feature improvements

- Custom tag linkedElem can now target non-editable and contentEditable.
  See https://www.jsviews.com#bindingpatterns@linkedelem

- New APIs added for tagCtx.ctxPrm(), tagCtx.cvtArgs() and
  tagCtx.bndArgs() even for non-data-linked tags - documentation to follow

- The contentCtx option now works also for custom tag using render(),
  rather than a template. See https://www.jsviews.com#tagsapi@contentctx

- In a template, ~tag.tagCtx.xxx can now be written ~tagCtx.xxx,
  and works correctly e.g. for data-linking using
  {{mytag}}{{else}}{{~tagCtx...}}{{/mytag}} - documentation to follow

- ~tagCtx is now a reserved name like ~tag ~root ~parentTags...

- On a custom tag, the bindTo option is not needed with 2-way linking
  to first argument

- updateValue() now supports an async option: pass true for the fourth
  parameter, defer - updateValue(val, index, tagElse, tag, defer).
  - Documentation to follow

- New debug:true option on a compiled template.
  See https://www.jsviews.com#d.templates@debug

- New depends option on custom tags (see https://www.jsviews.com#tagoptions@depends)
  or an instance property {{someTag depends='a.b'}} or
  {{someTag depends=~someTagDependsArray}}

- An error will be thrown if different versions of jsrender.js,
  jquery.observable.js and  jquery.views.js are loaded together

- DataMap, {{props}} and {{jsonview}} now include support for function
  properties too, unless opt out using {{props foo noFunctions=true}}.
  See https://www.jsviews.com#propstag@nofunctions

- Support for nested {{for}} tags without iteration, and for then
  applying operations such as sorting to arrays in nexted context, as in
  {{for filter=... noIteration=true}}{{for sort=... noIteration=true}}{{for start=...  end=...}}.
  See https://www.jsviews.com#fortag@itemvar

Documentation

- Extensive new documentation, especially on custom tag controls:
  See https://www.jsviews.com#jsvtagcontrols. For an example of a JsViews
  custom tag control see https://www.jsviews.com#samples/tag-controls/colorpicker

Minor bug fixes, including:

- a contentEditable bug for IE

- a bug for data-linking to 'length' property.

- a bug when a computed property 'depends' mixes data and contextual paths

- a bug in jquery-1.x cleanData

- a bug in move() arrayChange on {{for}}

- Issue BorisMoore/jsviews#408
  $.observe('ns', model.list, '[]^qty', handler);??

- Issue BorisMoore/jsviews#406
  Weird data-linked `for` loop behaviour with deep observing after model update

- Issue BorisMoore/jsviews#404
  Props Convert else statement not working

- Issue BorisMoore/jsviews#403
  ~ operator support

- Issue BorisMoore/jsviews#400
  Move the tag property in views to before rendering, to enable "get current path" path scenario

- Issue BorisMoore/jsviews#398
  After DOM modifications to the child options of a data-linked select, the first option shows as selected

- Issue BorisMoore/jsviews#397
  {^{radiogroup value disabled=notEnabled}} is now supported

- Issue BorisMoore/jsviews#198
  Provide full documentation of custom tags using 2-way binding, binding to args or props etc.

- Issue BorisMoore/jsviews#374
  Wrong initial value shown (timespinner control)

- Issue BorisMoore/jsrender#335
  encode and unencode converters
BorisMoore added a commit that referenced this issue Sep 22, 2018
@BorisMoore
Commit 91 (v0.9.91 - Beta)
d3e2011 
Major update

Breaking change

- Templates declared in <div> or other non script element are not
  supported. (Throws with error message)

Minor breaking changes

- The {{range}} tag has been removed - replaced by {{for}} tag using
  built-in range features. See https://www.jsviews.com#jsvfortag@jsvsortfilterrange

Major feature improvements

- The {{for}} tag now has built-in support for sort, filter, start and
  end. See https://www.jsviews.com#fortag@sortfilterrange

- The {{props}} tag now has built-in support for sort, filter, start
  and end. See https://www.jsviews.com#propstag@sortfilterrange

- New converters encode/unencode. See https://www.jsviews.com#convertersapi@encode

- New tag options: bindFrom - together with tag option bindTo - provide
  improved features for custom tags.
  See https://www.jsviews.com#tagoptions@bindto and https://www.jsviews.com#tagoptions@bindfrom

Minor feature improvements

- New APIs added for tagCtx.ctxPrm(), tagCtx.cvtArgs() and
  tagCtx.bndArgs() even for non-data-linked tags - documentation to follow

- The contentCtx option now works also for custom tag using render(),
  rather than a template. See https://www.jsviews.com#tagsapi@contentctx

- In a template, ~tag.tagCtx.xxx can now be written ~tagCtx.xxx,
  and works correctly e.g. for data-linking using
  {{mytag}}{{else}}{{~tagCtx...}}{{/mytag}} - documentation to follow

- ~tagCtx is now a reserved name like ~tag ~root ~parentTags...

- New debug:true option on a compiled template.
  See https://www.jsviews.com#d.templates@debug

- An error will be thrown if different versions of jsrender.js,
  jquery.observable.js and  jquery.views.js are loaded together

- DataMap, {{props}} and {{jsonview}} now include support for function
  properties too, unless opt out using {{props foo noFunctions=true}}.
  See https://www.jsviews.com#propstag@nofunctions

- Support for nested {{for}} tags without iteration, and for then
  applying operations such as sorting to arrays in nexted context, as in
  {{for filter=... noIteration=true}}{{for sort=... noIteration=true}}{{for start=...  end=...}}.
  See https://www.jsviews.com#fortag@itemvar

Documentation

- Extensive new documentation, especially on custom tag controls:
  See https://www.jsviews.com#jsvtagcontrols. For an example of a JsViews
  custom tag control see https://www.jsviews.com#samples/tag-controls/colorpicker

Minor bug fixes, including:

- a contentEditable bug for IE

- a bug in jquery-1.x cleanData

- Issue BorisMoore/jsviews#404
  Props Convert else statement not working

- Issue BorisMoore/jsviews#403
  ~ operator support

- Issue BorisMoore/jsviews#400
  Move the tag property in views to before rendering, to enable "get current path" path scenario

- Issue #335
  encode and unencode converters
BorisMoore added a commit to BorisMoore/jsviews that referenced this issue Sep 22, 2018
@BorisMoore
Commit 91 (v0.9.91 - Beta)
3f2ae07 
Major update

Breaking change

- Templates declared in <div> or other non script element are not
  supported. (Throws with error message)

Minor breaking changes

- The {{range}} tag has been removed - replaced by {{for}} tag using
  built-in range features. See https://www.jsviews.com#jsvfortag@jsvsortfilterrange

- Changed behavior of .setValue() API on custom tags. The .setValue()
  method is called even for undefined values. The .getValue() method
  is not called. Return false from setValue to not data-link a linked
  element. (e.g. jQuery UI slider). See https://www.jsviews.com#tagoptions@setvalue

- {{tabs}} API changes: The selectedIndex property is renamed to the
  pane property. The tabCaption property is renamed to the caption
  property

- Some changes to behavior/effect of the bindTo tag option - which is
  now associated with the new bindFrom tag option.
  See https://www.jsviews.com#tagoptions@bindto and https://www.jsviews.com#tagoptions@bindfrom

Major feature improvements

- The {{for}} tag now has built-in support for sort, filter, start and
  end. See https://www.jsviews.com#fortag@sortfilterrange

- The {{props}} tag now has built-in support for sort, filter, start
  and end. See https://www.jsviews.com#propstag@sortfilterrange

- New converters encode/unencode. See https://www.jsviews.com#convertersapi@encode

- New tag options: bindFrom - together with tag option bindTo - provide
  improved features for custom tags.
  See https://www.jsviews.com#tagoptions@bindto and https://www.jsviews.com#tagoptions@bindfrom

- New support for observing/unobserving contextual parameters.
  $.observe(tagOrView, "~foo", callback) - documentation to follow

- New support for observing properties of any item in an array, using
  "array.[].*" or "array.[].foo" (or "array.[]^*", etc.) - documentation to follow

- Late paths support: "@a.b.c" - documentation to follow

- New support for getting a reference to a tag instance using
  {^{mytag this=~myTag}} - documentation to follow

Minor feature improvements

- Custom tag linkedElem can now target non-editable and contentEditable.
  See https://www.jsviews.com#bindingpatterns@linkedelem

- New APIs added for tagCtx.ctxPrm(), tagCtx.cvtArgs() and
  tagCtx.bndArgs() even for non-data-linked tags - documentation to follow

- The contentCtx option now works also for custom tag using render(),
  rather than a template. See https://www.jsviews.com#tagsapi@contentctx

- In a template, ~tag.tagCtx.xxx can now be written ~tagCtx.xxx,
  and works correctly e.g. for data-linking using
  {{mytag}}{{else}}{{~tagCtx...}}{{/mytag}} - documentation to follow

- ~tagCtx is now a reserved name like ~tag ~root ~parentTags...

- On a custom tag, the bindTo option is not needed with 2-way linking
  to first argument

- updateValue() now supports an async option: pass true for the fourth
  parameter, defer - updateValue(val, index, tagElse, tag, defer).
  - Documentation to follow

- New debug:true option on a compiled template.
  See https://www.jsviews.com#d.templates@debug

- New depends option on custom tags (see https://www.jsviews.com#tagoptions@depends)
  or an instance property {{someTag depends='a.b'}} or
  {{someTag depends=~someTagDependsArray}}

- An error will be thrown if different versions of jsrender.js,
  jquery.observable.js and  jquery.views.js are loaded together

- DataMap, {{props}} and {{jsonview}} now include support for function
  properties too, unless opt out using {{props foo noFunctions=true}}.
  See https://www.jsviews.com#propstag@nofunctions

- Support for nested {{for}} tags without iteration, and for then
  applying operations such as sorting to arrays in nexted context, as in
  {{for filter=... noIteration=true}}{{for sort=... noIteration=true}}{{for start=...  end=...}}.
  See https://www.jsviews.com#fortag@itemvar

Documentation

- Extensive new documentation, especially on custom tag controls:
  See https://www.jsviews.com#jsvtagcontrols. For an example of a JsViews
  custom tag control see https://www.jsviews.com#samples/tag-controls/colorpicker

Minor bug fixes, including:

- a contentEditable bug for IE

- a bug for data-linking to 'length' property.

- a bug when a computed property 'depends' mixes data and contextual paths

- a bug in jquery-1.x cleanData

- a bug in move() arrayChange on {{for}}

- Issue #408
  $.observe('ns', model.list, '[]^qty', handler);??

- Issue #406
  Weird data-linked `for` loop behaviour with deep observing after model update

- Issue #404
  Props Convert else statement not working

- Issue #403
  ~ operator support

- Issue #400
  Move the tag property in views to before rendering, to enable "get current path" path scenario

- Issue #398
  After DOM modifications to the child options of a data-linked select, the first option shows as selected

- Issue #397
  {^{radiogroup value disabled=notEnabled}} is now supported

- Issue #198
  Provide full documentation of custom tags using 2-way binding, binding to args or props etc.

- Issue #374
  Wrong initial value shown (timespinner control)

- Issue BorisMoore/jsrender#335
  encode and unencode converters
@BorisMoore
Copy link
Owner

This has been fixed in release v0.9.91.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature request Planned for V1.1 Resolved
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BorisMoore @alnico2001