[jboss-user] [JBoss Portal] - Configure dashboard javascript error w single quote in portl

esmith1 do-not-reply at jboss.com
Tue May 20 17:41:14 EDT 2008


We noticed a javascript error in the configure dashboard option when the list of portlets includes the "Who's online portlet".  Under IE6 with script debugging enabled this shows up during page load; under FF it shows up later when you hover over that portlet.

I tracked it down to jboss-portal.sar\portal-core.war\WEB-INF\jsp\content\portlet_editor.jsp.

The existing code uses the portlet displayName to construct a DIV.
<div class="darktip" id="info-container-<%= displayName %>">
  | becomes
  |  <div class="darktip" id="info-container-Who's online portlet">
Then refers to that div in javascript a few lines later in a getElementById call, but if the div name has a single quote in it then it does not get escaped and so the javascript string is terminated.  <span onmouseover="domTT_activate(this, event, 'content', document.getElementById('info-container-<%= displayName %>'),'delay', 0  ...
  | becomes
  | <span onmouseover="domTT_activate(this, event, 'content', document.getElementById('info-container-Who's online portlet'),'delay', 0 ... 

I think the problem with this approach of naming the DIV is that the HTML standard only allows ID values to use alphanumeric, hyphen, colon, underscore, period.  http://www.w3.org/TR/html401/types.html#type-name.  I do not know what portlet display names allow, but clearly they allow problematic chars.  

Here is a fix that is not perfect (because it does not account for duplicates) but is an improvement.
1) within the same for loop, above the <div line, define a variable and use the ID, not the displayName.
String sDivName = "info-container-" + instance.getId().replace(' ','.');
2) change the <div tag
<div class="darktip" id="<%=sDivName%>">
3) change the <span tag
<span onmouseover="domTT_activate(this, event, 'content', document.getElementById('<%=sDivName%>'),'delay', 0, ... 

I don't know enough about JIRA to know if I am supposed to enter this there, or wait for someone to tell me to, or if someone else will do it.  


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4152151#4152151

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4152151



More information about the jboss-user mailing list