Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upescaping xml / html in tables #878
Comments
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
amolenaar
Mar 4, 2016
Collaborator
This is kind of a nasty one. The Slim test system runs the HTML, not the wiki text. As a result, elements are passed on the way they are rendered in the HTML page.
Your assumption 1. is true: the !- operator just takes the contents of the "escaped" block and adds it to the page. Seems like '!<' has not done anything for quite a few years (I checked even back to 2012). I'll remove it from the reference guide.
About assumption 2, the map is sent to Slim as a html <table>. We might want to look into unescaping values inside that table (on the slim server side) when it's converted back to a Map. For that we'd need the same logic as being used in fitnesse.testsystems.slim.HtmlTable.
A short-term solution would be to unescape the contents in the fixture (call HtmlUtil.unescapeHtml()).
|
This is kind of a nasty one. The Slim test system runs the HTML, not the wiki text. As a result, elements are passed on the way they are rendered in the HTML page. Your assumption 1. is true: the About assumption 2, the map is sent to Slim as a html A short-term solution would be to unescape the contents in the fixture (call |
amolenaar
added this to the
Next release milestone
Mar 4, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
amolenaar
Mar 8, 2016
Collaborator
I suppose this is what you're looking for:
The value printed by the SUT on stdout is:
Hash script is <script><b>bold</b></script>
Hence, the hash value is properly unescaped by FitNesse, just like a normal value passed to the SUT.
|
I suppose this is what you're looking for:
The value printed by the SUT on stdout is: Hence, the hash value is properly unescaped by FitNesse, just like a normal value passed to the SUT. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
legatoloco
Mar 10, 2016
I guess so (unless i miss-understood your example)
This is the java function i'm using:
public String testmap(Map value){
return "something";
}
And these are the two options i have when passing the xml
which gets rendered in view mode as:
and in test mode as
If you debug the code, "value" is equal to:
Which shows that if I don't escape the xml myself, i get it escaped <script>
while if i do escape it first, it breaks the rendering in wiki (because now we do get the actual <script>, visible when you view-source) which breaks the html renderer of the browser, and generates the broken (but un-escaped code show in point 2)
Excuse the screenshot, but given that this is an encoding issue, i didn't want to add more confusion due to the github issue editor (which requires it's own escaping)
Related observation (but might require opening a different issue)
Check how the rendering fails differently in view vs edit mode.
Of course, not escaping has a better result when working with strings and not maps (like in the last two screenshots) as the content is sent correctly when not escaped, except that scripts are executes (the reason why the example i sent says "ablert" and not "alert"
legatoloco
commented
Mar 10, 2016
|
I guess so (unless i miss-understood your example) If you debug the code, "value" is equal to: Which shows that if I don't escape the xml myself, i get it escaped <script> Excuse the screenshot, but given that this is an encoding issue, i didn't want to add more confusion due to the github issue editor (which requires it's own escaping) Related observation (but might require opening a different issue)
Check how the rendering fails differently in view vs edit mode. Of course, not escaping has a better result when working with strings and not maps (like in the last two screenshots) as the content is sent correctly when not escaped, except that scripts are executes (the reason why the example i sent says "ablert" and not "alert" |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
amolenaar
Mar 10, 2016
Collaborator
And my table looks like this:
| script | hash fixture |
| send | !{script:<script><b>bold</b></script>} | as hash |
| check | hash | script | is | <script><b>bold</b></script> |
So in your example, that would translate to:
| check | testmap; | {code: <script><nested>ablert(1)</nested></script>} | <script><nested>ablert(1)</nested></script> |
Which yields the desired effect, right?
|
And my table looks like this: So in your example, that would translate to: Which yields the desired effect, right? |
amolenaar
referenced this issue
Mar 10, 2016
Merged
Clean up HtmlUtil and escape hash table keys and values #886
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
amolenaar
Mar 10, 2016
Collaborator
Oh no! My "fix" caused nested hash tables to not render properly :(. Back to the drawing board...
|
Oh no! My "fix" caused nested hash tables to not render properly :(. Back to the drawing board... |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
#886 has been merged |
legatoloco commentedFeb 24, 2016
I have function that expects a content that looks like
{"xml":"<script><tag>content</tag></script>"}
(as a map)
when building the table for this, it looks like
| check | functionName; | !{xml:<script><tag>content</tag></script>} | output |
This breaks the wiki rendering due to the unescaped <script> element. the function receives a completely broken xml
| check | functionName; | !{xml:!-<script><tag>content</tag></script>-!} | output |
This breaks the function as the xml is never unescaped
I assume that one of !- or !< (which didn't do anything, ended up not interpreting the !< and considering it part of the text) is supposed to
Which one should it be? and in all cases, I believe that both are broken.