[jboss-user] [JBoss Portal] - Configure dashboard javascript error w single quote in portl
esmith1
do-not-reply at jboss.com
Tue May 20 17:41:14 EDT 2008
We noticed a javascript error in the configure dashboard option when the list of portlets includes the "Who's online portlet". Under IE6 with script debugging enabled this shows up during page load; under FF it shows up later when you hover over that portlet.
I tracked it down to jboss-portal.sar\portal-core.war\WEB-INF\jsp\content\portlet_editor.jsp.
The existing code uses the portlet displayName to construct a DIV.
<div class="darktip" id="info-container-<%= displayName %>">
| becomes
| <div class="darktip" id="info-container-Who's online portlet">
Then refers to that div in javascript a few lines later in a getElementById call, but if the div name has a single quote in it then it does not get escaped and so the javascript string is terminated. <span onmouseover="domTT_activate(this, event, 'content', document.getElementById('info-container-<%= displayName %>'),'delay', 0 ...
| becomes
| <span onmouseover="domTT_activate(this, event, 'content', document.getElementById('info-container-Who's online portlet'),'delay', 0 ...
I think the problem with this approach of naming the DIV is that the HTML standard only allows ID values to use alphanumeric, hyphen, colon, underscore, period. http://www.w3.org/TR/html401/types.html#type-name. I do not know what portlet display names allow, but clearly they allow problematic chars.
Here is a fix that is not perfect (because it does not account for duplicates) but is an improvement.
1) within the same for loop, above the <div line, define a variable and use the ID, not the displayName.
String sDivName = "info-container-" + instance.getId().replace(' ','.');
2) change the <div tag
<div class="darktip" id="<%=sDivName%>">
3) change the <span tag
<span onmouseover="domTT_activate(this, event, 'content', document.getElementById('<%=sDivName%>'),'delay', 0, ...
I don't know enough about JIRA to know if I am supposed to enter this there, or wait for someone to tell me to, or if someone else will do it.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4152151#4152151
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4152151
More information about the jboss-user
mailing list