[Rt-devel] [PATCH 3.7-RTIR-RELENG] XHTML nitpicks -
Widgets/TitleBoxStart
Ruslan Zakirov
ruz at bestpractical.com
Wed Oct 31 09:34:26 EDT 2007
Applied only second part. The first one is potential security risk
unless $id is escaped.
On 10/30/07, Jason Long <jlong at messiah.edu> wrote:
> Widgets/TitleBoxStart generates code like this:
>
> <div class="titlebox " id="">
> ...
> <div class="titlebox-content "
> id="TitleBox--_Prefs_Other.html------Date and time---0">
>
> For the first div, XHTML validator complains:
>
> syntax of attribute value does not conform to declared value .
>
> For the second quoted div, XHTML validator complains:
>
> value of attribute "id" must be a single token .
>
> In other words, better to not even put an id attribute if you don't
> have a value, and id values should be sanitized. See patch below.
> ---
>
> html/Widgets/TitleBoxStart | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/html/Widgets/TitleBoxStart b/html/Widgets/TitleBoxStart
> index 704caa7..9d954c8 100755
> --- a/html/Widgets/TitleBoxStart
> +++ b/html/Widgets/TitleBoxStart
> @@ -45,7 +45,7 @@
> %# those contributions and any derivatives thereof.
> %#
> %# END BPS TAGGED BLOCK }}}
> -<div class="titlebox <% $class %>" id="<% $id %>">
> +<div class="titlebox <% $class %>"<% $id ? qq[ id="$id"] : ''|n %>>
> <div class="titlebox-title<% $title_class && " $title_class" %>">
> % if ($hideable) {
> <span class="widget"><a href="#" onclick="return rollup('<%$tid%>');" onfocus="this.blur(); return false;" title="Toggle visibility">X</a></span>
> @@ -78,7 +78,7 @@ my $page = $m->request_comp->path;
> my $tid = "TitleBox--$page--" .
> join '--', ($class, $bodyclass, $title, $id);
>
> -$tid =~ s{/}{_}g;
> +$tid =~ s{[/\s]+}{_}g;
>
> my $i = 0;
> $i++ while $m->notes("$tid-$i");
>
> _______________________________________________
> List info: http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-devel
>
> SAVE THOUSANDS OF DOLLARS ON RT SUPPORT:
>
> If you sign up for a new RT support contract before December 31, we'll take
> up to 20 percent off the price. This sale won't last long, so get in touch today.
> Email us at sales at bestpractical.com or call us at +1 617 812 0745.
>
--
Best regards, Ruslan.
More information about the Rt-devel
mailing list