[Kss-devel] Escaping of replaceInnerHTML() output
Martin Aspeli
optilude at gmx.net
Wed Oct 24 23:22:03 CEST 2007
Balazs Ree wrote:
> Hi Martin,
>
> On Wed, 24 Oct 2007 01:56:33 +0100, Martin Aspeli wrote:
>
>> I assume there's something dodgy going on when you call node.innerHTML.
>>
>> Is this a bug in KSS?
>
> Before I go deeper into this I would like to ask something.
>
>>From the code I see you are trying with version 1.2 (Plone 3.0). Can you
> please try with version 1.4 (Plone trunk) as well and see if you have the
> same problem?
I switched to KSS trunk, and indeed it works now. Tags are properly
escaped. I now need to test the opposite - having stuff *not* be escaped
when explicitly requested, but I assume that'll work.
> Between the two versions we changed the marshalling of html content. We
> were forced to do this by what we believed is a Firefox bug in handling
> namespaces / xpath queries. However we realized that actually the new way
> is the more correct way and besides it fixed some other problems as well
> it also made our code more simple and free from subtle xml/html issues.
> It may affect this issue, and if a fix is needed it should happen on the
> new version.
Will you backport this to the 1.2 branch? It seems like an important
bugfix thing, with potential security implications.
Martin
--
Author of `Professional Plone Development`, a book for developers who
want to work with Plone. See http://martinaspeli.net/plone-book
More information about the Kss-devel
mailing list