[Rt-devel] the /CLASS modifier in ParseFormat

Nicholas Clark nick at ccl4.org
Tue Aug 21 09:55:54 EDT 2007 

On Mon, Aug 20, 2007 at 09:22:37PM +0100, Nicholas Clark wrote:
> On Tue, Aug 21, 2007 at 12:18:47AM +0400, Ruslan Zakirov wrote:
> > as well it may be better to join classes instead of replacing.
> 
> > > On Aug 20, 2007, at 11:55 AM, Nicholas Clark wrote:
> 
> > > > -    $m->out('<td class="collection-as-table" ');
> > > > +    my $class = $column->{class} || 'collection-as-table';
> > > > +    $m->out(qq{<td class="$class" });
> 
> I wasn't sure about that. I initially had the code appending to the class,
> but it occurred to me that then there wasn't a way to take out
> 'collection-as-table' if you wanted to do that. Whereas this way, you can
> add it in if you also need it.

Done (my way for now) as revision 8669. Please change it if necessary.

I attempted to make a patch to counter potential XSS problems with /ALIGN
and /STYLE, but couldn't manage to be sure that it was working so didn't
commit it. (Couldn't actually craft a query string that would parse correctly,
and I am under severe time pressure, so I can't stop to resolve this. Sorry)

I've appended the patch - I think that it is correct, but I can't prove it.

Nicholas Clark

Index: html/Elements/CollectionAsTable/Row
===================================================================
--- html/Elements/CollectionAsTable/Row	(revision 8669)
+++ html/Elements/CollectionAsTable/Row	(working copy)
@@ -75,8 +75,12 @@
     my $class = $column->{class}
 	? encode_entities($column->{class}, q{'"&<>}) : 'collection-as-table';
     $m->out(qq{<td class="$class" });
-    $m->out( 'align="' . $column->{align} . '"' ) if ( $column->{align} );
-    $m->out( 'style="' . $column->{style} . '"' ) if ( $column->{style} );
+    if ( $column->{align} ) {
+        $m->out( 'align="' . encode_entities( $column->{align}, q{'"&<>} ) . '"' ) ;
+    }
+    if ( $column->{style} ) {
+        $m->out( 'style="' . encode_entities( $column->{style}, q{'"&<>} ) . '"' ) ;
+    }
     $m->out('>');
     foreach my $subcol ( @{ $column->{output} } ) {
         if ( $subcol =~ /^__(.*?)__$/o ) {

More information about the Rt-devel mailing list