What is the best way to escape HTML on ExtJS application generally? - rest

I am developing a web application using ExtJS to build GUI and communicate with server via RESTful web-service (the returned data is formatted as JSON objects).
Now I am having problems when processing with data which contains HTML tags, Javascript codes inside; because when I set those values to Ext forms, labels, input fields, they are affected by those syntaxes.
I used this function to load data from model object to form:
form.loadRecord(model);
I have found a solution to escape HTML and JS: using
field.setValue(Ext.util.Format.htmlDecode(data));
but I think that is not a good solution for whole application, because the developers must do so much things: review all input fields, labels, and put that snippet to them. And after all, that is not a beautiful way to build a fast, robust and maintainable application.
So, could you please help me solution so that it can be modified at one place, and affects to the rest. Can I override the setValue/ setLabel of AbstractComponent? Or should I encode the data before rendering them? And how to decode those data?
(P/S: I uses Grails framework on the server-side)
Thank you so much.

If you're using Ext.XTemplate, you can escape html in fields like this:
var tpl = new Ext.XTemplate(
'<p>My Field: {myField:htmlEncode}</p>'
);

Everything depends on your use case, but what I do is - escape all HTML code on server side, so that there are no 'forgotten' places by mistake. That of course creates problems, when these data need to be loaded in form fields, because they are escaped.
The easiest solution is to override setValue for all form fields and use Extjs htmlDecode function, which will revert these values back to normal.
Ext.override(Ext.form.field.Base, {
setValue: function(val) {
val = Ext.util.Format.htmlDecode(val);
return this.callParent([val]);
}
});

This link has a excellent answer by jack.slocum :
https://www.sencha.com/forum/showthread.php?13913
grid.on('validateedit', function(e){
e.value = Ext.util.Format.stripTags(e.value);
});
Util method Ext.util.Format.stripTags() removes all the html/script tags.

Related

Custom Search Results in REST MarkLogic

So new to MarkLogic am stuck and not finding the documentation of use. I know what i need to do, just do not know how to do it.
I have a keyvalue? search on my REST server which returns ML's standard search results and XML snippet. I want to create my own custom search result which will output a title element for my XML files.
I am aware that i need to create an XSLT transformation document and upload that to the server but do not know how to target ML's search function or how to write this out.
I have basic knowledge of XSLT, if i just created something that targets each files title using xPath will this work, or does ML require use of their custom functions?
I know its a bit broad, but hopefully someone can point steer me.
Sounds like you are talking about the GET /v1/keyvalue endpoint of MarkLogic REST API. Unfortunately that does not allow you to choose a transform. You can probably use GET /v1/search with a transform param instead though, using a structured query for an element value query. The docs contain a good syntax reference on that.
Docs on creating and managing transforms can be found here:
http://docs.marklogic.com/guide/rest-dev/transforms#chapter
HTH!
You can use extract-metadata in your search options with search:search or the /v1/search/ REST API endpoint to include the title element in a metadata element or JSON property in your results:
import module namespace search = "http://marklogic.com/appservices/search"
at "/MarkLogic/appservices/search/search.xqy";
search:search(
"my query string",
<options xmlns="http://marklogic.com/appservices/search">
<extract-metadata>
<qname elem-ns="" elem-name="title"/>
</extract-metadata>
</options>)
If you need more flexibility, you specify a custom snippet implementation or a results decorator function in your search options.
Is this key-value or full text? For key-value you could use XPath. Any XPath that starts with / or // or fn:collection() or fn:doc() will search the entire database. You can search specific document(s) or collection(s) too.
For full text you'd probably want to use https://docs.marklogic.com/search:search - or possibly https://docs.marklogic.com/cts:search for really low-level control.
There's some example code using search:search from XSL at https://github.com/marklogic/RunDMC which might help. It doesn't use the REST API: it's a traditional form-submit web page. But the view/search.xsl code might give you some idea how to call the search API from XSLT.
That RunDMC code might also help you if you need to call XSL from XQuery: take a look at controller/transform.xqy.

Protractorjs testing - how to use :contains('someText') - possibly escaping strings incorrectly

I have an angular form that I need to test and I want to select an item without an identity, via its textnode contents. In jquery and selenium on other platforms, I was able to use a special css selector called :contains() which allows me to find stuff
ptor.findElement(protractor.By.css('label:contains(\'some text\') > input')).getAttribute('value').then(function (value) {
expect(value).toContain('myExpectedValue');
});
When I run this I get a lexical error about invalid string. I've tried a variety of ways to escape the quotes in the string. I have also tried an xpath expression, which did the same thing after introducing quotes. It looked something like this:
ptor.findElement(protractor.By.xpath('//label[text()="some text"]/descendant::input[1])')).getAttribute('value').then(function (value) {
expect(value).toContain('myExpectedValue');
});
That failed the same way.
1: Is the :contains selenium function available in protractor?
2: Am I escaping my strings wrong?
Please don't tell me to attach an identity to the object. I am not allowed to modify the markup.
You can't use :contains with the protractor.By.css locator because :contains is not part of the CSS3 spec (see here)
I don't know what's wrong with your xpath, but it's not the escaping. I've used xpath strings like that in protractor.
Update:
In response to the lack of ‘:contains’ selector a new locator was created for this purpose:
Example: By.cssContainingText(‘ul .pet’, ‘Dog’) will find all ul children with class ‘pet’ containing the text ‘Dog’. Read more about it here
Note: you might need to update since older versions of protractor don't have this selector.

[Zend]Filtering variables in a huge project

I have huge application written in ZendFramework. Earlier everything was fine.
As for now it was redesigned and received a lot of new functionalities and options, but I have to defend this software from xss.
Variables are taken from a couple sources (webform, Webservices, api, etc.), some of them should be escaped, some not.
What do you think, what will be the best method to defend my website, without editing all (2 000 +) files and escaping all echo's ?
Zend Framework comes with a class called "Zend_Filter". This class has a "StripTags" filter option that will strip all tags from a given string.
http://framework.zend.com/manual/en/zend.filter.set.html#zend.filter.set.striptags
If you note, even the strip tags filter isn't recommended for sanitizing input if you exclude something and it shouldn't be used to defend against XSS attacks. It recommends using Tidy or HTMLPurifier.
http://tidy.sourceforge.net/
http://htmlpurifier.org/
I think HTML Purifier is pretty easy to use. From their docs website:
require_once '/path/to/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault(); $purifier = new
HTMLPurifier($config); $clean_html = $purifier->purify($dirty_html);
I hope that helps!
Cheers!

appending a form parameter to url in code igniter

I have tried my best to search for an existing question with smiliar issue but was not able to find one. Here's my situation
I have a controller named search which accepts a parameter "search term", when this controller is called directly from URL like www.xyz.com/search/red+car it returns results and the URL in browser address bar is www.xyz.com/search/red+car but when the user submits the search from a from in webpage with same term, the results are coming fine but the URL does not reflect the search term.
If I do a redirect the form POST data is lost, although resubmitting the POSt is not a solution in my case either. I need a way to change the URL so that it shows the search term.
Thanks in advance for your help, please be gentle as this is my first question.
#Vlakarados - I am trying to use same controller to provide search results from post data and controller parameter. Both work fine but when using search form on webpage the search parameter is not reflected in URL.
#Rakesh Shetty - The actual method is very long, but here is the compressed format
build query as per post data and passed parameter.
populate view with results
render the view
Thanks everyone for suggesting various solution.
I used jquery to change the form action parameter, now when ever the dropdown selection is changed the value is appended to the action parameter. I also took out the dropdown from being part of post data.
There are 2 dropdowns one for area and other for zip code. This new approach works with bot dropdowns and my exsting code of controller works without any major change.
I used the following javascript code to create new action parameter when ever user changes the area. Same goes for ZIP code.
$("#cityname").change(function(){
var action = $(this).val();
alert(action);
$("#searchform").attr("action", "search/" + action);
});
I think I was not able to clearly explain my situation otherwise you people would have suggested this long ago.
The better way to do it is in your controller:
function search($search_query) {
// .. use your query as you normally would - display products, posts, messages
$data = array('search_query' => $search_query);
$this->load->view('search', $data);
}
// use this method as the form action
function search_proxy() {
$search_query = $this->input->post('search');
// if needed urlencode or other search query manipulation
redirect('controller/search/'.$search_query);
}
This way you will have no problems and will only work with data in your url.
Edit: The second option is yo use JavaScript - when user submit's the form, change the form's action to include the searched query in form action

HTML form to invoke XQuery files

We have quite a number of .xqy files in several folders.
Sometimes, I need to invoke an .xqy file (via Marklogic's CQ) to test if it's working.
But I find it rather cumbersome to have to know what parameters to pass in and specify them in the xquery in CQ.
Is there a tool out there that would generate an HTML form that presents to me the parameters of a given .XQY file and invokes it when I press a "submit" button ?
If there is none out there, would somebody here know of how to make such an HTML form ? Right now, I can't seem to find any readily-available xdmp or xquery commands to tell me if an .XQY file is invocable or what parameters it expects to be fed.
Danny
The XQuery standard doesn't support introspection, nor does MarkLogic provide any functions that help with that. The closest you can get with this is using the XQDoc documentation code that is capable of parsing the XQuery code itself and producing descriptions of all function signatures within modules.
You can find more details about it here: http://developer.marklogic.com/code/xqdoc-ws
It doesn't provide a 'Submit' button, but using the XML output of xqdoc, you could make that yourself..
Good luck!
Another option would be to convert your XQuery to XQueryX and you can then process this as XML using XQuery (or XSLT) to generate an XForm or XHTML Form.
Since Danny mentioned unit testing, I'll risk plugging my own framework for that: https://github.com/mblakele/xqut
I usually run XQUT test suites in a cq buffer, but it would be easy enough to wrap one in a simple web page - with or without a form.