Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #3485 (closed defect: invalid)

Opened 3 years ago

Last modified 11 months ago

InPlaceEdit: encodeURIComponent

Reported by: claudio.cicali@gmail.com Assigned to: Clay
Priority: normal Milestone:
Component: script.aculo.us Version: 1.0.0
Severity: normal Keywords: controls InPlaceEditor
Cc:

Description

To make my inplace editor let me enter the "&" char, I had to replace

var value = this.editField.value;

with

var value = encodeURIComponent(this.editField.value);

in the OnSubmit method

Change History

01/20/06 22:23:33 changed by fodder_john@yahoo.com

this is actually sort of dangerous, as it allows the injection of arbitrary variables into the server side script. ampersands are interpreted as closing off the current value being submitted and starting a new variable. e.g. a value entered into the inplaceeditor as "my new title&name=value" is sent to the server as ["value" => "my new title", "name" => "value"].

01/21/06 22:05:16 changed by jon.tirsen@gmail.com

Hasn't this been fixed already?

08/19/06 01:03:01 changed by tomg@byu.net

  • keywords set to controls.

No. The proposed change has not been made as of Rev 4787.

The patch is file controls.js - 662 var value = this.editField.value; + 662 var value = encodeURIComponent(this.editField.value);

However, the default callback is 

function(form) {
        return Form.serialize(form);
      }

... so shouldn't Form.serlialize be doing this already? Maybe that's what jon.tirsen was refering to.

Either way, this bug is seven months old. Can anyone confirm it's still an issue?

08/19/06 02:57:58 changed by tomg@byu.net

Duplicated by #4588

08/24/06 23:09:14 changed by anonymous

  • keywords changed from controls to controls InPlaceEditor.
  • owner changed from Rails to Clay.

10/24/07 21:25:33 changed by mislav

  • status changed from new to closed.
  • resolution set to invalid.

The IPE has been completely rewritten since then. Try and see if the problem persists.