From 30eddf57c8de433e8ea02b9e552c8e1744a505a7 Mon Sep 17 00:00:00 2001 From: wei <> Date: Sun, 7 May 2006 03:34:25 +0000 Subject: Add search to quickstart demo. --- .../protected/pages/Advanced/Assets.page | 10 +- .../quickstart/protected/pages/Advanced/Auth.page | 8 +- .../quickstart/protected/pages/Advanced/Error.page | 10 +- .../quickstart/protected/pages/Advanced/I18N.page | 28 +- .../protected/pages/Advanced/Logging.page | 8 +- .../protected/pages/Advanced/MasterContent.page | 2 +- .../protected/pages/Advanced/Performance.page | 12 +- .../protected/pages/Advanced/Scripts.page | 397 +++++++++++++++ .../protected/pages/Advanced/Scripts1.page | 561 +++++++++++++++++++++ .../protected/pages/Advanced/Scripts2.page | 253 ++++++++++ .../protected/pages/Advanced/Scripts3.page | 32 ++ .../protected/pages/Advanced/Security.page | 8 +- .../quickstart/protected/pages/Advanced/State.page | 10 +- .../protected/pages/Advanced/Themes.page | 12 +- 14 files changed, 1297 insertions(+), 54 deletions(-) create mode 100644 demos/quickstart/protected/pages/Advanced/Scripts.page create mode 100644 demos/quickstart/protected/pages/Advanced/Scripts1.page create mode 100644 demos/quickstart/protected/pages/Advanced/Scripts2.page create mode 100644 demos/quickstart/protected/pages/Advanced/Scripts3.page (limited to 'demos/quickstart/protected/pages/Advanced') diff --git a/demos/quickstart/protected/pages/Advanced/Assets.page b/demos/quickstart/protected/pages/Advanced/Assets.page index d69a1bcd..e79f4ecf 100644 --- a/demos/quickstart/protected/pages/Advanced/Assets.page +++ b/demos/quickstart/protected/pages/Advanced/Assets.page @@ -1,6 +1,6 @@ -

Assets

+

Assets

Assets are resource files (such as images, sounds, videos, CSS stylesheets, javascripts, etc.) that belong to specific component classes. Assets are meant to be provided to Web users. For better reusability and easier deployment of the corresponding component classes, assets should reside together with the component class files . For example, a toggle button may use two images, stored in file down.gif and up.gif, to show different toggle states. If we require the image files be stored under images directory under the Web server document root, it would be inconvenient for the users of the toggle button component, because each time they develop or deploy a new application, they would have to manually copy the image files to that specific directory. To eliminate this requirement, a directory relative to the component class file should be used for storing the image files. A common strategy is to use the directory containing the component class file to store the asset files.

@@ -8,7 +8,7 @@ Assets are resource files (such as images, sounds, videos, CSS stylesheets, java Because directories containing component class files are normally inaccessible by Web users, PRADO implements an asset publishing scheme to make available the assets to Web users. An asset, after being published, will have a URL by which Web users can retrieve the asset file.

-

Asset Publishing

+

Asset Publishing

PRADO provides several methods for publishing assets or directories containing assets:

@@ -21,7 +21,7 @@ PRADO provides several methods for publishing assets or directories containing a BE AWARE: Be very careful with assets publishing, because it gives Web users access to files that were previously inaccessible to them. Make sure that you do not publish files that do not want Web users to see.

-

Customization

+

Customization

Asset publishing is managed by the System.Web.TAssetManager module. By default, all published asset files are stored under the [AppEntryPath]/assets directory, where AppEntryPath refers to the directory containing the application entry script. Make sure the assets directory is writable by the Web server process. You may change this directory to another by configuring the BasePath and BaseUrl properties of the TAssetManager module in application configuration,

@@ -34,7 +34,7 @@ Asset publishing is managed by the System.Web.TAssetManager module. By </modules> -

Performance

+

Performance

PRADO uses caching techniques to ensure the efficiency of asset publishing. Publishing an asset essentially requires file copy operation, which is expensive. To save unnecessary file copy operations, System.Web.TAssetManager only publishes an asset when it has a newer file modification time than the published file. When an application runs under the Performance mode, such timestamp checkings are also omitted.

@@ -42,7 +42,7 @@ PRADO uses caching techniques to ensure the efficiency of asset publishing. Publ ADVISORY: Do not overuse asset publishing. The asset concept is mainly used to help better reuse and redistribute component classes. Normally, you should not use asset publishing for resources that are not bound to any component in an application. For example, you should not use asset publishing for images that are mainly used as design elements (e.g. logos, background images, etc.) Let Web server to directly serve these images will help improve the performance of your application.

-

A Toggle Button Example

+

A Toggle Button Example

We now use the toggle button example to explain the usage of assets. The control uses two image files up.gif and down.gif, which are stored under the directory containing the control class file. When the button is in Up state, we would like to show the up.gif image. This can be done as follows,

diff --git a/demos/quickstart/protected/pages/Advanced/Auth.page b/demos/quickstart/protected/pages/Advanced/Auth.page index ec876f54..3373644a 100644 --- a/demos/quickstart/protected/pages/Advanced/Auth.page +++ b/demos/quickstart/protected/pages/Advanced/Auth.page @@ -1,6 +1,6 @@ -

Authentication and Authorization

+

Authentication and Authorization

Authentication is a process of verifying whether someone is who he claims he is. It usually involves a username and a password, but may include any other methods of demonstrating identity, such as a smart card, fingerprints, etc.

@@ -8,7 +8,7 @@ Authentication is a process of verifying whether someone is who he claims he is. Authorization is finding out if the person, once identified, is permitted to manipulate specific resources. This is usually determined by finding out if that person is of a particular role that has access to the resources.

-

How PRADO Auth Framework Works

+

How PRADO Auth Framework Works

PRADO provides an extensible authentication/authorization framework. As described in application lifecycles, TApplication reserves several lifecycles for modules responsible for authentication and authorization. PRADO provides the TAuthManager module for such purposes. Developers can plug in their own auth modules easily. TAuthManager is designed to be used together with TUserManager module, which implements a read-only user database.

@@ -19,7 +19,7 @@ When a page request occurs, TAuthManager will try to restore user infor During Authorization application lifecycle, which occurs after Authentication lifecycle, TAuthManager will verify if the current user has access to the requested page according to a set of authorization rules. The authorization is role-based, i.e., a user has access to a page if 1) the page explicitly states that the user has access; 2) or the user is of a particular role that has access to the page. If the user does not have access to the page, TAuthManager will redirect user browser to the login page which is specified by LoginPage property.

-

Using PRADO Auth Framework

+

Using PRADO Auth Framework

To enable PRADO auth framework, add the TAuthManager module and TUserManager module to application configuration,

@@ -75,7 +75,7 @@ When a page request is being processed, a list of authorization rules may be ava In the above example, anonymous users will be denied from posting to PageID1 and PageID2, while User1 and User2 and all users of role Role1 can access the two pages (in both get and post methods).

-

Using TUserManager

+

Using TUserManager

As aforementioned, TUserManager implements a read-only user database. The user information are specified in either application configuration or an external XML file.

diff --git a/demos/quickstart/protected/pages/Advanced/Error.page b/demos/quickstart/protected/pages/Advanced/Error.page index 55217bfe..9d5e3037 100644 --- a/demos/quickstart/protected/pages/Advanced/Error.page +++ b/demos/quickstart/protected/pages/Advanced/Error.page @@ -1,11 +1,11 @@ -

Error Handling and Reporting

+

Error Handling and Reporting

PRADO provides a complete error handling and reporting framework based on the PHP 5 exception mechanism.

-

Exception Classes

+

Exception Classes

Errors occur in a PRADO application may be classified into three categories: those caused by PHP script parsing, those caused by wrong code (such as calling an undefined function, setting an unknown property), and those caused by improper use of the Web application by client users (such as attempting to access restricted pages). PRADO is unable to deal with the first category of errors because they cannot be caughted in PHP code. PRADO provides an exception hierarchy to deal with the second and third categories.

@@ -32,18 +32,18 @@ Exceptions raised due to improper usage of the PRADO framework inherit from Errors due to improper usage of the Web application by client users inherit from TApplicationException.

-

Raising Exceptions

+

Raising Exceptions

Raising exceptions in PRADO has no difference than raising a normal PHP exception. The only thing matters is to raise the right exception. In general, exceptions meant to be shown to application users should use THttpException, while exceptions shown to developers should use other exception classes.

-

Error Capturing and Reporting

+

Error Capturing and Reporting

Exceptions raised during the runtime of PRADO applications are captured by System.Exceptions.TErrorHandler module. Different output templates are used to display the captured exceptions. THttpException is assumed to contain error messages that are meant for application end users and thus uses a specific group of templates. For all other exceptions, a common template shown as follows is used for presenting the exceptions.

exception page -

Customizing Error Display

+

Customizing Error Display

Developers can customize the presentation of exception messages. By default, all error output templates are stored under framework/Exceptions/templates. The location can be changed by configuring TErrorHandler in application configuration,

diff --git a/demos/quickstart/protected/pages/Advanced/I18N.page b/demos/quickstart/protected/pages/Advanced/I18N.page index 4a220c4c..5b1fafa0 100644 --- a/demos/quickstart/protected/pages/Advanced/I18N.page +++ b/demos/quickstart/protected/pages/Advanced/I18N.page @@ -1,9 +1,9 @@ -

Internationalization (I18N) and Localization (L10N)

+

Internationalization (I18N) and Localization (L10N)

Many web application built with PHP will not have internationalization in mind when it was first written. It may be that it was not intended for use in languages and cultures. Internationalization is an important aspect due to the increase adoption of the Internet in many non-English speaking countries. The process of internationalization and localization will contain difficulties. Below are some general guidelines to internationalize an existing application.

-

Separate culture/locale sensitive data

+

Separate culture/locale sensitive data

Identify and separate data that varies with culture. The most obvious are text/string/message. Other type of data should also be considered. The following list categorize some examples of culture sensitive data

@@ -25,7 +25,7 @@

If possible all manner of text should be isolated and store in a persistence format. These text include, application error messages, hard coded strings in PHP files, emails, static HTML text, and text on form elements (e.g. buttons).

-

Configuration

+

Configuration

To enable the localization features in Prado, you need to add a few configuration options in your application configuration. First you need to include the System.I18N.* namespace to your paths.

@@ -52,7 +52,7 @@ With cache enabled, translated messages are saved in the application With the configuration complete, we can now start to localize your application. If you have autosave enabled, after running your application with some localization activity (i.e. translating some text), you will see a directory and a messages.xml created within your source directory.

-

What to do with messages.xml?

+

What to do with messages.xml?

The translation message catalogue file, if using type="XLIFF", is a standardized translation message interchange XML format. You can edit the XML file using any UTF-8 aware editor. The format of the XML is something like the following.

@@ -77,7 +77,7 @@ With cache enabled, translated messages are saved in the application trans-unit tag, where source is the original message, and target is the translated message. Editors such as Heartsome XLIFF Translation Editor can help in editing these XML files. -

Setting and Changing Culture

+

Setting and Changing Culture

Once globalization is enabled, you can access the globalization settings, such as, Culture, Charset, etc, using

$globalization = $this->getApplication()->getGlobalization(); @@ -98,9 +98,9 @@ Lastly, you can change the globalization settings on page by page basis using -

Localizing your Prado application

+

Localizing your Prado application

There are two areas in your application that may need message or string localization, in PHP code and in the templates. To localize strings within PHP, use the localize function detailed below. To localize text in the template, use the TTranslate component. -

Using localize function to translate text within PHP

+

Using localize function to translate text within PHP

The localize function searches for a translated string that matches original from your translation source. First, you need to locate all the hard coded text in PHP that are displayed or sent to the end user. The following example localizes the text of the $sender (assuming, say, the sender is a button). The original code before localization is as follows. @@ -118,7 +118,7 @@ function clickMe($sender,$param) } -

Compound Messages

+

Compound Messages

Compound messages can contain variable data. For example, in the message "There are 12 users online.", the integer 12 may change depending on some data in your application. This is difficult to translate because the position of the variable data may be difference for different languages. In addition, different languages have their own rules for plurals (if any) and/or quantifiers. The following example can not be easily translated, because the sentence structure is fixed by hard coding the variable data within message.

@@ -137,9 +137,9 @@ The localize function does not solve the problem of localizing language

The following sample demonstrates the basics of localization in Prado.

-

I18N Components

+

I18N Components

-

TTranslate

+

TTranslate

Messages and strings can be localized in PHP or in templates. To translate a message or string in the template, use TTranslate.

@@ -164,7 +164,7 @@ The time is {time}. <com:TLabel Text="<%[ Hello World! ]%>" /> -

TDateFormat

+

TDateFormat

Formatting localized date and time is straight forward.

<com:TDateFormat Value="12/01/2005" /> @@ -254,7 +254,7 @@ Format Pattern Result

If the Value property is not specified, the current date and time is used.

-

TNumberFormat

+

TNumberFormat

PRADO's Internationalization framework provide localized currency formatting and number formatting. Please note that the TNumberFormat component provides formatting only, it does not perform current conversion or exchange.

Numbers can be formatted as currency, percentage, decimal or scientific @@ -310,7 +310,7 @@ Pattern Output

-

TTranslateParameter

+

TTranslateParameter

Compound messages, i.e., string substitution, can be accomplished with TTranslateParameter. In the following example, the strings "{greeting}" and "{name}" will be replace with the values of "Hello" and "World", respectively.The substitution string must be enclose with "{" and "}". The parameters can be further translated by using TTranslate. @@ -325,7 +325,7 @@ with the values of "Hello" and "World", respectively.The substitution string mus -

TChoiceFormat

+

TChoiceFormat

Using the localize function or TTranslate component to translate messages does not inform the translator the cardinality of the data required to determine the correct plural structure to use. It only informs them that there is a variable data, the data could be anything. Thus, the translator will be unable to determine with respect to the substitution data the correct plural, language structure or phrase to use . E.g. in English, to translate the sentence, "There are {number} of apples.", the resulting translation should be different depending on the number of apples.

diff --git a/demos/quickstart/protected/pages/Advanced/Logging.page b/demos/quickstart/protected/pages/Advanced/Logging.page index ec3e7879..5270a00d 100644 --- a/demos/quickstart/protected/pages/Advanced/Logging.page +++ b/demos/quickstart/protected/pages/Advanced/Logging.page @@ -1,12 +1,12 @@ -

Logging

+

Logging

PRADO provides a highly flexible and extensible logging functionality. Messages logged can be classified according to log levels and message categories. Using level and category filters, the messages can be further routed to different destinations, such as files, emails, browser windows, etc. The following diagram shows the basic architecture of PRADO logging mechanism,

Log router -

Using Logging Functions

+

Using Logging Functions

The following two methods are provided for logging messages in PRADO,

@@ -18,7 +18,7 @@ Prado::trace($message, $category); The difference between Prado::log() and Prado::trace() is that the latter automatically selects the log level according to the application mode. If the application is in Debug mode, stack trace information is appended to the messages. Prado::trace() is widely used in the core code of the PRADO framework.

-

Message Routing

+

Message Routing

Messages logged using the above two functions are kept in memory. To make use of the messages, developers need to route them to specific destinations, such as files, emails, or browser windows. The message routing is managed by System.Util.TLogRouter module. When plugged into an application, it can route the messages to different destination in parallel. Currently, PRADO provides three types of routes:

@@ -44,7 +44,7 @@ To enable message routing, plug in and configure the TLogRouter module In the above, the Levels and Categories specify the log and category filters to selectively retrieve the messages to the corresponding destinations.

-

Message Filtering

+

Message Filtering

Messages can be filtered according to their log levels and categories. Each log message is associated with a log level and a category. With levels and categories, developers can selectively retrieve messages that they are interested on.

diff --git a/demos/quickstart/protected/pages/Advanced/MasterContent.page b/demos/quickstart/protected/pages/Advanced/MasterContent.page index 0a68fe31..2698f865 100644 --- a/demos/quickstart/protected/pages/Advanced/MasterContent.page +++ b/demos/quickstart/protected/pages/Advanced/MasterContent.page @@ -1,6 +1,6 @@ -

Master and Content

+

Master and Content

Pages in a Web application often share common portions. For example, all pages of this tutorial application share the same header and footer portions. If we repeatedly put header and footer in every page source file, it will be a maintenance headache if in future we want to something in the header or footer. To solve this problem, PRADO introduces the concept of master and content. It is essentially a decorator pattern, with content being decorated by master.

diff --git a/demos/quickstart/protected/pages/Advanced/Performance.page b/demos/quickstart/protected/pages/Advanced/Performance.page index ed0cc6f8..d33c110b 100644 --- a/demos/quickstart/protected/pages/Advanced/Performance.page +++ b/demos/quickstart/protected/pages/Advanced/Performance.page @@ -1,11 +1,11 @@ -

Performance Tuning

+

Performance Tuning

Performance of Web applications is affected by many factors. Database access, file system operations, network bandwidth are all potential affecting factors. PRADO tries in every effort to reduce the performance impact caused by the framework.

-

Caching

+

Caching

PRADO provides a generic caching technique used by in several core parts of the framework. For example, when caching is enabled, TTemplateManager will save parsed templates in cache and reuse them in the following requests, which saves time for parsing templates. The TThemeManager adopts the similar strategy to deal with theme parsing.

@@ -33,7 +33,7 @@ if($application->Cache) { where $keyName should be a string that uniquely identifies the data item stored in cache.

-

Using pradolite.php

+

Using pradolite.php

Including many PHP script files may impact application performance significantly. PRADO classes are stored in different files and when processing a page request, it may require including tens of class files.To alleviate this problem, in each PRADO release, a file named pradolite.php is also included. The file is a merge of all core PRADO class files with comments being stripped off and message logging removed.

@@ -41,7 +41,7 @@ Including many PHP script files may impact application performance significantly To use pradolite.php, in your application entry script, replace the inclusion of prado.php with pradolite.php.

-

Changing Application Mode

+

Changing Application Mode

Application mode also affects application performance. A PRADO application can be in one of the following modes: Off, Debug, Normal and Performance. The Debug mode should mainly be used during application development, while Normal mode is usually used in early stage after an application is deployed to ensure everything works correctly. After the application is proved to work stably for some period, the mode can be switched to Performance to further improve the performance.

@@ -57,7 +57,7 @@ To switch application mode, configure it in application configuration: </application > -

Reducing Page Size

+

Reducing Page Size

By default, PRADO stores page state in hidden fields of the HTML output. The page state could be very large in size if complex controls, such as TDataGrid, is used. To reduce the size of the network transmitted page size, two strategies can be used.

@@ -76,7 +76,7 @@ Second, you may use a different page state storage. For example, page state may Note, in the above the SpecialPage will use MyPersister2 as its persister class, while the rest pages will use MyPersister1. Therefore, you can have different state persister strategies for different pages.

-

Other Techniques

+

Other Techniques

Server caching techniques are proven to be very effective in improving the performance of PRADO applications. For example, we have observed that by using Zend Optimizer, the RPS (request per second) of a PRADO application can be increased by more than ten times. Of course, this is at the cost of stale output, while PRADO's caching techniques always ensure the correctness of the output.

diff --git a/demos/quickstart/protected/pages/Advanced/Scripts.page b/demos/quickstart/protected/pages/Advanced/Scripts.page new file mode 100644 index 00000000..5921e865 --- /dev/null +++ b/demos/quickstart/protected/pages/Advanced/Scripts.page @@ -0,0 +1,397 @@ + +

Introduction to Javascript

+This guide is based on the +Quick guide to somewhat advanced JavaScript tour of some OO features by Sergio Pereira. + +

Hey, I didn't know you could do that

+

+ If you are a web developer and come from the same place I do, you have probably + used quite a bit of Javascript in your web pages, mostly as UI glue. +

+

+ + Until recently, I knew that Javascript had more OO capabilities than I was employing, + but I did not feel like I needed to use it. As the browsers started to support a more + standardized featureset of Javascript and the DOM, it became viable to write more + complex and functional code to run on the client. That helped giving birth to the + AJAX phenomena. +

+

+ As we all start to learn what it takes to write our cool, AJAXy applications, we begin + to notice that the Javascript we used to know was really just the tip of the iceberg. + We now see Javascript being used beyond simple UI chores like input validation and frivolous + tasks. The client code now is far more advanced and layered, much like a real desktop + application or a client-server thick client. We see class libraries, object models, + hierarchies, patterns, and many other things we got used to seeing only in our server + side code. +

+

+ In many ways we can say that suddenly the bar was put much higher than before. It takes + a heck lot more proficiency to write applications for the new Web and we need to improve + our Javascript skills to get there. + If you try to use many of the existing javascript libraries out there, like + Prototype.js, + Scriptaculous, + moo.fx, + Behaviour, + YUI, + etc you'll eventually find yourself reading the JS code. Maybe because you want + to learn how they do it, or because you're curious, or more often because that's the + only way to figure out how to use it, since documentation does not seem to be highly + regarded with most of these libraries. Whatever the case may be, you'll face some + kung-fu techniques that will be foreign and scary if you haven't seen anything like + that before. +

+ +

+ The purpose of this article is precisely explaining the types of constructs that + many of us are not familiar with yet. +

+ + +

JSON (JavaScript Object Notation)

+

+ JavaScript Object Notation (JSON,) is one of the new + buzzwords popping up around the AJAX theme. JSON, simply put, is a way of + declaring an object in javascript. Let's see an example right away and note + how simple it is. +

+ +var myPet = { color: 'black', leg_count: 4, communicate: function(repeatCount){ +for(i=0;i<repeatCount;i++) alert('Woof!');} }; + + +

+ Let's just add little bit of formatting so it looks more like how we usually find out there: +

+ +var myPet = +{ + color: 'black', + legCount: 4, + communicate: function(repeatCount) + { + for(i=0;i<repeatCount;i++) + alert('Woof!'); + } +}; + +

+ Here we created a reference to an object with two properties (color + and legCount) and a method (communicate.) + It's not hard to figure out that the object's properties and methods + are defined as a comma delimited list. Each of the members is introduced by name, followed + by a colon and then the definition. In the case of the properties it is easy, just the value + of the property. The methods are created by assigning an anonymous function, which we will + explain better down the line. + After the object is created and assigned to the variable myPet, + we can use it like this: +

+ + +alert('my pet is ' + myPet.color); +alert('my pet has ' + myPet.legCount + ' legs'); +//if you are a dog, bark three times: +myPet.communicate(3); + +

+ You'll see JSON used pretty much everywhere in JS these days, as arguments to functions, + as return values, as server responses (in strings,) etc. +

+ +

What do you mean? A function is an object too?

+

+ This might be unusual to developers that never thought about that, but in JS a function is + also an object. You can pass a function around as an argument to another function just like + you can pass a string, for example. This is extensively used and very handy. +

+ +

+ Take a look at this example. We will pass functions to another function that will use them. +

+ +var myDog = +{ + bark: function() + { + alert('Woof!'); + } +}; + +var myCat = +{ + meow: function() + { + alert('I am a lazy cat. I will not meow for you.'); + } +}; + +function annoyThePet(petFunction) +{ + //let's see what the pet can do + petFunction(); +} + +//annoy the dog: +annoyThePet(myDog.bark); +//annoy the cat: +annoyThePet(myCat.meow); + +

+ Note that we pass myDog.bark and myCat.meow without appending parenthesis + "()" to them. If we did that we would not be passing + the function, rather we would be calling the method and passing the return value, + undefined in both cases here. +

+ +

+ If you want to make my lazy cat start barking, you can easily do this: +

+ +myCat.meow = myDog.bark; +myCat.meow(); //alerts 'Woof!' + + +

Arrays, items, and object members

+

+ The following two lines in JS do the same thing. +

+ + +var a = new Array(); +var b = []; + +

+ As I'm sure you already know, you can access individual items in an array + by using the square brackets: +

+ +var a = ['first', 'second', 'third']; +var v1 = a[0]; +var v2 = a[1]; +var v3 = a[2]; + +

+ + But you are not limited to numeric indices. You can access any member of a JS + object by using its name, in a string. The following example creates an empty + object, and adds some members by name. +

+ +var obj = {}; //new, empty object +obj['member_1'] = 'this is the member value'; +obj['flag_2'] = false; +obj['some_function'] = function(){ /* do something */}; + +

+ The above code has identical effect as the following: +

+ +var obj = +{ + member_1:'this is the member value', + flag_2: false, + some_function: function(){ /* do something */} +}; + + +

+ In many ways, the idea of objects and associative arrays (hashes) in JS are not + distiguishable. The following two lines do the same thing too. +

+ +obj.some_function(); +obj['some_function'](); + + + +

Enough about objects, may I have a class now?

+

+ + The great power of object oriented programming languages derive from the use + of classes. I don't think I would have guessed how classes are defined in JS + using only my previous experience with other languages. Judge for yourself. +

+ +//defining a new class called Pet +var Pet = function(petName, age) +{ + this.name = petName; + this.age = age; +}; + +//let's create an object of the Pet class +var famousDog = new Pet('Santa\'s Little Helper', 15); +alert('This pet is called ' + famousDog.name); + +

+ Let's see how we add a method to our Pet class. We will be using the + prototype property that all classes have. The prototype + property is an object that contains all the members that any object of the class will have. + Even the default JS classes, like String, Number, + and Date have a prototype object that we + can add methods and properties to and make any object of that class automatically gain this new member. +

+ + +Pet.prototype.communicate = function() +{ + alert('I do not know what I should say, but my name is ' + this.name); +}; + +

+ That's when a library like prototype.js comes in + handy. If we are using prototype.js, we can make our code look cleaner (at least in my opinion.) +

+ +var Pet = Class.create(); +Pet.prototype = +{ + //our 'constructor' + initialize: function(petName, age) + { + this.name = petName; + this.age = age; + }, + + communicate: function() + { + alert('I do not know what I should say, but my name is ' + this.name); + } +}; + + +

Functions as arguments, an interesting pattern

+

+ If you have never worked with languages that support closures + you may find the following idiom too funky. +

+ +var myArray = ['first', 'second', 'third']; +myArray.each( function(item, index) +{ + alert('The item in the position #' + index + ' is:' + item); +}); + +

+ + Whoa! Let's explain what is going on here before you decide I've gone too + far and navigate to a better article than this one. +

+

+ First of all, in the above example we are using the prototype.js library, which + adds the each function to the Array class. The each function accepts one + argument that is a function object. This function, in turn, will be called once + for each item in the array, passing two arguments when called, the item and the index + for the current item. Let's call this function our iterator function. + We could have also written the code like this. +

+ +function myIterator(item, index) +{ + alert('The item in the position #' + index + ' is:' + item); +} + +var myArray = ['first', 'second', 'third']; +myArray.each( myIterator ); + +

+ But then we would not be doing like all the cool kids in school, right? + More seriously, though, this last format is simpler to understand but causes + us to jump around in the code looking for the myIterator function. It's nice + to have the logic of the iterator function right there in the same place + it's called. Also, in this case, we will not need the iterator function anywhere + else in our code, so we can transform it into an anonymous function without penalty. +

+ +

This is this but sometimes this is also that

+

+ + One of the most common troubles we have with JS when we start writing our code + it the use of the this keyword. It could be a real + tripwire. +

+

+ As we mentioned before, a function is also an object in JS, and sometimes we + do not notice that we are passing a function around. +

+

+ Take this code snippet as an example. +

+ +function buttonClicked() +{ + alert('button ' + this.id + ' was clicked'); +} + +var myButton = document.getElementById('someButtonID'); +var myButton2 = document.getElementById('someOtherButtonID'); +myButton.onclick = buttonClicked; +myButton2.onclick = buttonClicked; + +

+ Because the buttonClicked function is defined outside any object we may tend to + think the this keyword will contain a reference to + the window or document + object (assuming this code is in the middle of an HTML page viewed in a browser.) +

+ +

+ But when we run this code we see that it works as intended and displays the id of + the clicked button. What happened here is that we made the onclick method of each button contain the + buttonClicked object reference, replacing whatever was there before. Now + whenever the button is clicked, the browser will execute something similar to the following line. +

+ +myButton.onclick(); + +

+ + That isn't so confusing afterall, is it? But see what happens you start having other + objects to deal with and you want to act on these object upon events like the button's click. +

+ +var myHelper = +{ + formFields: [ ], + emptyAllFields: function() + { + for(i=0; i < this.formFields.length; i++) + { + var elementID = this.formFields[i]; + var field = document.getElementById(elementID); + field.value = ''; + } + } +}; + +//tell which form fields we want to work with +myHelper.formFields.push('txtName'); +myHelper.formFields.push('txtEmail'); +myHelper.formFields.push('txtAddress'); + +//clearing the text boxes: +myHelper.emptyAllFields(); + +var clearButton = document.getElementById('btnClear'); +clearButton.onclick = myHelper.emptyAllFields; + +

+ So you think, nice, now I can click the Clear button on my page and those three text boxes + will be emptied. Then you try clicking the button only to get a runtime error. The error + will be related to (guess what?) the this keyword. + The problem is that this.formFields is not defined if + this containz a referece to the button, which is + precisely what's happening. One quick solution would be to rewrite our last line of code. +

+ + +clearButton.onclick = function() +{ + myHelper.emptyAllFields(); +}; + +

+ That way we create a brand new function that calls our helper method within the helper object's context. +

+ \ No newline at end of file diff --git a/demos/quickstart/protected/pages/Advanced/Scripts1.page b/demos/quickstart/protected/pages/Advanced/Scripts1.page new file mode 100644 index 00000000..f11a2f9d --- /dev/null +++ b/demos/quickstart/protected/pages/Advanced/Scripts1.page @@ -0,0 +1,561 @@ + + +

Developer Notes for prototype.js

+This guide is based on the +Developer Notes for prototype.js by Sergio Pereira. + +

What is that?

+

+In case you haven't already used it, prototype.js is a + JavaScript library written by Sam Stephenson. + This amazingly well thought and well written piece of standards-compliant code takes a lot of + the burden associated with creating rich, highly interactive web pages that characterize the Web 2.0 off your back. +

+ +

+ If you tried to use this library recently, you probably noticed that documentation is not one + of its strongest points. As many other developers before me, I got my head around prototype.js by + reading the source code and experimenting with it. I thought it would be nice to take notes while + I learned and share with everybody else. +

+

+ As you read the examples and the reference, developers familiar with the Ruby + programming language will notice an intentional similarity between Ruby's + built-in classes and many of the extensions implemented by this library. +

+ + +

Using the $() function

+

+ The $() function is a handy shortcut to the all-too-frequent document.getElementById() function + of the DOM. Like the DOM function, this one returns the element that has the id passed as an argument. +

+ +

+ Unlike the DOM function, though, this one goes further. You can pass more than one id and + $() will return an Array object with + all the requested elements. The example below should illustrate this. +

+ +<com:TClientScript UsingClientScripts="prado" /> +
+

This is a paragraph

+
+ +
+

This is another paragraph

+
+ + + + + + +

+ Another nice thing about this function is that you can pass either the id string or the element object itself, + which makes this function very useful when creating other functions that can also take either form of argument. +

+ +

Using the $F() function

+ +

+ The $F() function is a another welcome shortcut. It returns the value of any field input control, + like text boxes or drop-down lists. The function can take as argument either the element id or the element object itself. +

+ + + + + + + +

Using the $A() function

+ +

+ The $A() function converts the single argument it receives + into an Array object. +

+

+ This function, combined with the extensions for the Array class, + makes it easier to convert or copy any enumerable list into an + Array object. One suggested use is to convert DOM + NodeLists into regular arrays, which can be traversed + more efficiently. See example below. +

+ + + + + + + + + +

Using the $H() function

+

+ The $H() function converts + objects into enumerable Hash objects that + resemble associative arrays. +

+ +function testHash() +{ + //let's create the object + var a = + { + first: 10, + second: 20, + third: 30 + }; + + //now transform it into a hash + var h = $H(a); + alert(h.toQueryString()); + + //displays: first=10&second=20&third=30 +} + + +

Enumerating... Wow! Damn! Wahoo!

+

+ We are all familar with for loops. You know, create yourself an array, populate it with + elements of the same kind, create a loop control structure (for, foreach, while, repeat, etc,) + access each element sequentially, by its numeric index, and do something with the element. +

+

+ When you come to think about it, almost every time you have an array in your code it + means that you'll be using that array in a loop sooner or later. Wouldn't it be nice + if the array objects had more functionality to deal with these iterations? Yes, it would, + and many programming languages provide such functionality in their arrays or equivalent + structures (like collections and lists.) +

+ +

+ Well, it turns out that prototype.js gives us the Enumerable + object, which implements a plethora of tricks for us to use when dealing with iterable data. + The prototype.js library goes one step further and extends the + Array class with all the methods of Enumerable. +

+ + +

Loops and iterator

+

+ In standard javascript, if you wanted to sequentially display the elements of an array, + you could very well write something like this. +

+ + + + + +

+ With our new best friend, prototype.js, we can rewrite this loop like this. +

+ + +function showList() +{ + var simpsons = ['Homer', 'Marge', 'Lisa', 'Bart', 'Meg']; + simpsons.each( function(familyMember) + { + alert(familyMember); + }); +} + +

+ You are probably thinking "big freaking deal...just a weird syntax for the same old thing." + Well, in the above example, yes, there's nothing too earth shattering going on. Afterall, + there's not much to be changed in such a drop-dead-simple example. But + keep reading, nonetheless. +

+

+ Before we move on. Do you see this function that is being passed as an argument + to the each method? Let's start referring to it as an + iterator function. +

+ +

Your arrays on steroids

+ +

+ Like we mentioned above, it's very common for all the elements in your array to be of + the same kind, with the same properties and methods. Let's see how we can take advantage + of iterator functions with our new souped-up arrays. +

+

+ Finding an element according to a criteria. +

+ + + + + + + + +

+ Now let's kick it up another notch. See how we can filter out + items in arrays, then retrieve just a desired member from each + element. +

+ + + +

+ This <a href="http://othersite.com/page.html">text</a> has + a <a href="#localAnchor">lot</a> of + <a href="#otherAnchor">links</a>. Some are + <a href="http://wherever.com/page.html">external</a> + and some are <a href="#someAnchor">local</a> +

+ + +

+ It takes just a little bit of practice to get completely addicted to this syntax. + Next we will go through the available functions with the following example. +

+

Enumerable Functions

+The sample data for the following examples. + +var Fixtures = +{ + Products: + [ + {name: 'Basecamp', company: '37signals', type: 'Project Management'}, + {name: 'Shopify', company: 'JadedPixel', type: 'E-Commerce'}, + {name: 'Mint', company: 'Shaun Inman',type: 'Statistics'} + ], + + Artist: + [ + 'As I Lay Dying', + '36 Crazyfist', + 'Shadows Fall', + 'Trivium', + 'In Flames' + ], + + Numbers: [0, 1, 4, 5, 98, 32, 12, 9] +}; + +var F = Fixtures; + + +

Enumerable.each function

+

I used to find myself writing a lot of for loops. Although, +Prototype doesn’t by any means eliminate the need to do for loops, +it does give you access to what I consider to be a cleaner, easier to read method in each. + +for(var i = 0; i < F.Numbers.length; i++) +{ + Logger.info(F.Numbers[i]); +} + +

+The each function allows us to iterate over these objects Ruby style. +

+ +F.Numbers.each(function(num) +{ + Logger.info(num); +}); + +//Output +0 +1 +4 +5 +98 +32 +12 +9 + + +

The each function takes one argument, an iterator function. +This iterator is invoked once for every item in the array, and that item +along with the optional index is passed to the iterator. So if +we also needed the index we could do something like the code below. +

+ + +F.Numbers.each(function(num, index) +{ + Logger.info(index + ": " + num); +}); + +//Output +0: 0 +1: 1 +2: 4 +3: 5 +4: 98 +5: 32 +6: 12 +7: 9 + + +

Hash key/value pairs

+

Hashes can be created by wrapping an Object (associative array) in +$H() and can have their key/value pairs exposed.

+ + +$H(F.Products[0]).each(function(product) +{ + Logger.info(product.key + ": " + product.value); +}); + +//Outputs +name: Basecamp +company: 37signals +type: Project Management + +

+We can also directly access the keys and values of a Hash without iterating over it. +

+ +$H(F.Products[1]).keys(); +//Outputs name,company,type + +$H(F.Products[1]).values(); +//Outputs Shopify,JadedPixel,E-Commerce + + +

Enumerable.collect function

+ +

The collect function allows you to iterate over an Array and return the +results as a new array. Each item returned as a result of the iteration will be +pushed onto the end of the new array.

+ +var companies = F.Products.collect(function(product) +{ + return product.company; +}); + +Logger.info(companies.join(', ')); + +// Outputs +// 37signals, JadedPixel, Shaun Inman + + +

You can even join on the end of the block.

+ +return F.Products.collect(function(product) +{ + return product.company; +}).join(', '); + + +

Enumerable.include function

+ +

The include function allows you to check if a value is included in an array +and returns true or false depending on if a match was made. Assuming I put +up a form asking the user to name some artist in my iTunes playlist, +we could do something like the code below. Prime candidate for some conditional madness. +

+ +return F.Artists.include('Britney Spears'); // returns false + + +

Enumerable.inject function

+ +

The inject function is good for getting a collective sum from an array of +values. For instance, to add up all the numbers. +

+ +var score = F.Numbers.inject(0, function(sum, value) +{ + return sum + value; +}); + +Logger.info(score); +//Output 161 + + +

The first argument to inject is just an initial value that +would be added to the sum, so if we added 1 instead of 0, the output would be 162.

+ +

Enumerable.findAll function

+

+When given an Array, the findAll function will return an array of +items for which the iterator evaluated to true. Basically, it allows you to +build a new array of values based on some search criteria. +If we wanted to find all products whose type was “E-Commerce” +we could do something like the code below. +

+ +var ecom = F.Products.findAll(function(product) +{ + return product.type == 'E-Commerce'; +}); + +Logger.info(ecom[0].company + " produces " + ecom[0].name); + +//Outputs +JadedPixel produces Shopify + + +

Note that even if only one match is made, just as in this case, +the result is still returned as an array. In that case, +ecom.company would return undefined.

+ +

Enumerable.detect function

+

Unlike the findAll function, the detect function will only +return the first item for which the expression inside +the iterator is true. So, if we wanted to find the first number that +was greater than 5 we’d do something like the code below. +

+ +var low = F.Numbers.detect(function(num) +{ + return num > 5 +}); + +Logger.info(low); +//Outputs 98 + + +

Even though, there are other numbers above 5 in our array, detect +only gives us the first match back.

+ +

Enumerable.invoke function

+ +

The invoke function allows us to pass a method as a string and +have that method invoked. For instance, if we wanted to sort +our array of artists we’d do something like this:

+ + +[F.Artists].invoke('sort') +//Outputs 36 Crazyfist,As I Lay Dying,In Flames,Shadows Fall,Trivium + + +

Why not just use F.Artists.sort? Well, for the example above +we could do just that, but here is where invoke shines.

+ + +[F.Artists, F.Letters].invoke('sort'); +//Outputs 36 Crazyfist,As I Lay Dying,In Flames,... + +

So we invoked sort for each sub-array. Note that the code below will not work.

+ + +F.Artists.invoke('sort'); + + +

The reason this will not work is because it is taking each item +in that array and trying to apply sort to it, thus if we wrote it outright, +it would look something like this:

+ + +"36 Crazy Fists".sort(); + +

We could however do something like this:

+ + +F.Artists.invoke('toLowerCase'); +//Outputs 36 crazyfist,as i lay dying,in flames,shadows ... + + +

+Now, what about passing arguments to the invoke function? +The first argument passed to invoke is the method to be invoked, +and any other arguments beyond that will be passed as arguments to the invoked method.

+ + +F.Artists.invoke('concat', " is awesome ") +//Outputs +36 Crazyfist is awesome ,As I Lay Dying is awesome ,... + + + \ No newline at end of file diff --git a/demos/quickstart/protected/pages/Advanced/Scripts2.page b/demos/quickstart/protected/pages/Advanced/Scripts2.page new file mode 100644 index 00000000..6ee6a5d8 --- /dev/null +++ b/demos/quickstart/protected/pages/Advanced/Scripts2.page @@ -0,0 +1,253 @@ + +

DOM Events and Javascript

+ +

Basic event handling

+ +

The syntax for working with events looks like the code below.

+ + +Event.observe(element, name, observer, [useCapture]); + + +

Assuming for a moment that we want to observe when a link was clicked, +we could do the following:

+ + +// <a id="clicker" href="http://foo.com">Click me</a> +Event.observe('clicker', 'click', function(event) +{ + alert('clicked!'); +}); + + +

If we wanted to get the element that fired the event, we'd do this:

+ + +Event.observe('clicker', 'click', function(event) +{ + alert(Event.element(event)); +}); + + +

Observing keystrokes

+ +

If we wanted to observe keystrokes for the entire document, we could do the following:

+ + +Event.observe(document, 'keypress', function(event) +{ + if(Event.keyCode(event) == Event.KEY_TAB) + alert('Tab Pressed'); +}); + + +

And lets say we wanted to keep track of what has been typed :

+ + +Event.observe('search', 'keypress', function(event) +{ + Element.update('search-results', $F(Event.element(event))); +}); + + +

Prototype defines properties inside the event object for some +of the more common keys, so feel free to dig around in Prototype to +see which ones those are.

+ +

A final note on keypress events; If you'd like to detect a +left click you can use Event.isLeftClick(event).

+ +

Getting the coordinates of the mouse pointer

+ +

Drag and drop, dynamic element resizing, games, and +much more all require the ability to track the X and Y location of +the mouse. Prototype makes this fairly simple. The code below tracks +the X and Y position of the mouse and spits out those values into +an input box named mouse.

+ + +Event.observe(document, 'mousemove', function(event) +{ + $('mouse').value = "X: " + Event.pointerX(event) + + "px Y: " + Event.pointerY(event) + "px"; +}); + + +

If we wanted to observe the mouse location when it was +hovering over a certain element, we'd just change the document argument to +the id or element that was relevant.

+ +

Stopping Propagation

+ +

Event.stop(event) will stop the propagation of an event .

+ +

Events, Binding, and Objects

+ +

Everything has been fairly straight forward so far, but things +start getting a little tricker when you need to work with events in +and object-oriented environment. You have to deal with binding and funky +looking syntax that might take a moment to get your head around.

+ +

Lets look at some code so you can get a better understanding of what I'm talking about.

+ +EventDispenser = Class.create(); +EventDispenser.prototype = +{ + initialize: function(list) + { + this.list = list; + + // Observe clicks on our list items + $$(this.list + " li").each(function(item) + { + Event.observe(item, 'click', this.showTagName.bindEvent(this)); + }.bind(this)); + + // Observe when a key on the keyboard is pressed. + // In the observer, we check for + // the tab key and alert a message if it is pressed. + Event.observe(document, 'keypress', this.onKeyPress.bindEvent(this)); + + // Observe our fake live search box. When a user types + // something into the box, the observer will take that + // value(-1) and update our search-results div with it. + Event.observe('search', 'keypress', this.onSearch.bindEvent(this)); + + Event.observe(document, 'mousemove', this.onMouseMove.bindEvent(this)); + }, + + // Arbitrary functions to respond to events + showTagName: function(event) + { + alert(Event.element(event).tagName); + }, + + onKeyPress: function(event) + { + var code = event.keyCode; + if(code == Event.KEY_TAB) + alert('Tab key was pressed'); + }, + + onSearch: function(event) + { + Element.update('search-results', $F(Event.element(event))); + }, + + onMouseMove: function(event) + { + $('mouse').value = "X: " + Event.pointerX(event) + + "px Y: " + Event.pointerY(event) + "px"; + } +} + +

Whoa! What's going on here? Well, we've defined our a +custom class EventDispenser. We're going to be using this class +to setup events for our document. Most of this code is a +rewrite of the code we looked at earlier except this time, we +are working from inside an object.

+ +

Looking at the initialize method, we can really see how +things are different now. Take a look at the code below:

+ +// Observe clicks on our list items +$$(this.list + " li").each(function(item) +{ + Event.observe(item, 'click', this.showTagName.bindEvent(this)); +}.bind(this)); + + +

We've got iterators, binding and all sorts of stuff going on. +Lets break down what this chunk of code is doing.

+ +

First we are hunting for a collection of elements based on +it's Css selector. This uses the Prototype selector function $$(). +After we've found the list items we are dealing with we send +those into an each iteration where we will add our observers.

+ + +Event.observe(item, 'click', this.showTagName.bindEvent(this)); + + +

Now looking at the code above, you'll notice the bindEvent function. +This takes the method before it showTagName and treats it as the +method that will be triggered when, in this case, +someone clicks one of our list items.

+ +

You'll also notice we pass this as an argument to the bindEvent function. +This simply allows us to reference the object in context EventDispenser +inside our function showTagName(event). If the showTagName function +requires additional parameters, you can attach them to the later parameters of bindEvent. For example

+ +this.showTagName.bindEvent(this, param1, param2); + +//where the showTagName function is defined as +showTime : function (event, param1, param2) { ... } + + +

Moving on, you'll see bind(this) attached to our iterator function. +This really has nothing to do with events, it is only here to allow me to +use this inside the iterator. If we didn't use bind(this), I couldn't +reference the method showTagName inside the iterator.

+ +

Ok, so we'll move on to looking at our methods that actually get +called when an event occurs. Since we've been dealing with showTagName, lets look at it.

+ + +showTagName: function(event) +{ + alert(Event.element(event).tagName); +} + + +

As you can see, this function accepts one argument--the event. +In order for us to get the element which fired the event we need to +pass that argument to Event.element. Now we can manipulate it at will.

+ +

This covers the most confusing parts of our code. The text above is also +relevant to the remaining parts of our code. If there is anything about +this you don't understand, feel free to ask questions in the forum.

+ +

Removing Event Listeners

+ +

This one threw me for a loop the first time I tried to use it. +I tried something similar to what I did in the Event.observe +call with the exception of using stopObserving, but nothing seemed +to change. In other words, the code below does NOT work.

+ + +$$(this.list + " li").each(function(item) +{ + Event.stopObserving(item, 'click', this.showTagName); +}.bind(this)); + + +

What's the deal here? The reason this doesn't work is because there +is no pointer to the observer. This means that when we passed this.showTagName +in the Event.observe method before hand, we passed it as an +anonymous function. We can't reference an anonymous function +because it simply doesn't have a pointer.

+ +

So how do we get the job done? All we need to do is give the +observing function a pointer, or the jargon free version: Set a variable +that points to this.showTagName. Ok, lets change our code a bit.

+ + +this.showTagObserver = this.showTagName.bindEvent(this); + +// Observe clicks on our list items +$$(this.list + " li").each(function(item) +{ + Event.observe(item, 'click', this.showTagObserver); +}.bind(this)); + + +

Now we can remove the event listeners from our list like this:

+ +$$(this.list + " li").each(function(item) +{ + Event.stopObserving(item, 'click', this.showTagObserver); +}.bind(this)); + + + \ No newline at end of file diff --git a/demos/quickstart/protected/pages/Advanced/Scripts3.page b/demos/quickstart/protected/pages/Advanced/Scripts3.page new file mode 100644 index 00000000..9883f43e --- /dev/null +++ b/demos/quickstart/protected/pages/Advanced/Scripts3.page @@ -0,0 +1,32 @@ + +

Javascript in Prado, Questions and Answers

+

How do I include the predefined javascript libraries?

+
  • Adding libraries in the template + +<com:TClientScript UsingPradoScripts="effects" /> + +
    • +
  • Adding libraries in PHP code + +$this->getPage()->getClientScript()->registerPradoScript("effects"); + +
    • +
+The available packaged libraries included in Prado are +
    +
  • prado : basic prado javascript framework based on Prototype
    • +
  • effects : visual effects from script.aculo.us
    • +
  • ajax : ajax and callback related based on Prototype
    • +
  • validator : validation
    • +
  • logger : javascript logger and object browser
    • +
  • datepicker : datepicker
    • +
  • rico : Rico library
    • +
  • colorpicker : colorpicker
    • +
+ +

The dependencies for each library are automatically resolved. Components +that require a particular library will also automatically load the necessary libraries. +For example, if you add a TDatePicker component on the page, the datapicker +and its dependencies will be automatically included on the page.

+ + \ No newline at end of file diff --git a/demos/quickstart/protected/pages/Advanced/Security.page b/demos/quickstart/protected/pages/Advanced/Security.page index b6de7251..9be7946a 100644 --- a/demos/quickstart/protected/pages/Advanced/Security.page +++ b/demos/quickstart/protected/pages/Advanced/Security.page @@ -1,8 +1,8 @@ -

Security

+

Security

-

Viewstate Protection

+

Viewstate Protection

Viewstate lies at the heart of PRADO. Viewstate represents data that can be used to restore pages to the state that is last seen by end users before making the current request. By default, PRADO uses hidden fields to store viewstate information.

@@ -26,7 +26,7 @@ HMAC check requires a private key that should be secret to end users. Developers HMAC check does not prevent end users from reading the viewstate content. An added security measure is to encrypt the viewstate information so that end users cannot decipher it. To enable viewstate encryption, set the EnableStateEncryption of pages to true. This can be done in page configurations or in page code. Note, encrypting viewstate may degrade the application performance. A better strategy is to store viewstate on the server side, rather than the default hidden field.

-

Cross Site Scripting Prevention

+

Cross Site Scripting Prevention

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool other application users and gather data from them. For example, a poorly design forum system may display user input in forum posts without any checking. An attacker can then inject a piece of malicious JavaScript code into a post so that when other users read this post, the JavaScript runs unexpectedly on their computers.

@@ -37,7 +37,7 @@ One of the most important measures to prevent XSS attacks is to check user input PRADO incorporates the work of SafeHTML and provides developers with a useful component called TSafeHtml. By enclosing content within a TSafeHtml component tag, the enclosed content are ensured to be safe to end users. In addition, the commonly used TTextBox has a SafeText property which contains user input that are ensured to be safe if displayed directly to end users.

-

Cookie Attack Prevention

+

Cookie Attack Prevention

Protecting cookies from being attacked is of extreme important, as session IDs are commonly stored in cookies. If one gets hold of a session ID, he essentially owns all relevant session information.

diff --git a/demos/quickstart/protected/pages/Advanced/State.page b/demos/quickstart/protected/pages/Advanced/State.page index 8d69d6a4..051090e9 100644 --- a/demos/quickstart/protected/pages/Advanced/State.page +++ b/demos/quickstart/protected/pages/Advanced/State.page @@ -1,11 +1,11 @@ -

Persistent State

+

Persistent State

Web applications often need to remember what an end user has done in previous page requests so that the new page request can be served accordingly. State persistence is to address this problem. Traditionally, if a page needs to keep track of user interactions, it will resort to session, cookie, or hidden fields. PRADO provides a new line of state persistence schemes, including view state, control state, and application state.

-

View State

+

View State

View state lies at the heart of PRADO. With view state, Web pages become stateful and are capable of restoring pages to the state that end users interacted with before the current page request. Web programming thus resembles to Windows GUI programming, and developers can think continuously without worrying about the roundtrips between end users and the Web server. For example, with view state, a textbox control is able to detect if the user input changes the content in the textbox.

@@ -22,7 +22,7 @@ where $this refers to the control object, Caption is a unique $caption = $this->getViewState('Caption'); -

Control State

+

Control State

Control state is like view state in every aspect except that control state cannot be disabled. Control state is intended to be used for storing crucial state information without which a page or control may not work properly.

@@ -34,7 +34,7 @@ $this->setControlState('Caption',$caption); $caption = $this->getControlState('Caption'); -

Application State

+

Application State

Application state refers to data that is persistent across user sessions and page requests. A typical example of application state is the user visit counter. The counter value is persistent even if the current user session terminates. Note, view state and control state are lost if the user requests for a different page, while session state is lost if the user session terminates.

@@ -46,7 +46,7 @@ $application->setGlobalState('Caption',$caption); $caption = $application->getGlobalState('Caption'); -

Session State

+

Session State

PRADO encapsulates the traditional session management in THttpSession module. The module can be accessed from within any component by using $this->Session, where $this refers to the component object.

diff --git a/demos/quickstart/protected/pages/Advanced/Themes.page b/demos/quickstart/protected/pages/Advanced/Themes.page index ba5585e7..ef593c65 100644 --- a/demos/quickstart/protected/pages/Advanced/Themes.page +++ b/demos/quickstart/protected/pages/Advanced/Themes.page @@ -1,18 +1,18 @@ -

Themes and Skins

+

Themes and Skins

-

Introduction

+

Introduction

Themes in Prado provide a way for developers to provide a consistent look-and-feel across an entire web application. A theme contains a list of initial values for properties of various control types. When applying a theme to a page, all controls on that page will receive the corresponding initial property values from the theme. This allows themes to interact with the rich property sets of the various PRADO controls, meaning that themes can be used to specify a large range of presentational properties that other theming methods (e.g. CSS) cannot. For example, themes could be used to specify the default page size of all data grids across an application by specifying a default value for the PageSize property of the TDataGrid control.

-

Understanding Themes

+

Understanding Themes

A theme is a directory consists of skin files, javascript files and CSS files. Any javascript or CSS files contained in a theme will be registered with the page that the theme is applied to. A skin is a set of initial property values for a particular control type. A control type may have one or several skins, each identified by a unqiue SkinID. When applying a theme to a page, a skin is applied to a control if the control type and the SkinID value both match to those of the skin. Note, if a skin has an empty SkinID value, it will apply to all controls of the particular type whose SkinID is not set or empty. A skin file consists of one or several skins, for one or several control types. A theme is the union of skins defined in all skin files.

-

Using Themes

+

Using Themes

To use a theme, you need to set the Theme property of the page with the theme name, which is the theme directory name. You may set it in either page configurations or in the constructor or onPreInit() method of the page. You cannot set the property after onPreInit() because by that time, child controls of the page are already created (skins must be applied to controls right after they are created.)

@@ -29,7 +29,7 @@ This will apply the 'Blue' skin to the button. Note, the initial property values To use the javascript files and CSS files contained in a theme, a THead control must be placed on the page template. This is because the theme will register those files with the page and THead is the right place to load those files.

-

Theme Storage

+

Theme Storage

All themes by default must be placed under the [AppEntryPath]/themes directory, where AppEntryPath refers to the directory containing the application entry script. If you want to use a different directory, configure the BasePath and BaseUrl properties of the System.Web.UI.TThemeManager module in application configuration,

@@ -44,7 +44,7 @@ All themes by default must be placed under the [AppEntryPath]/themes di </service> -

Creating Themes

+

Creating Themes

Creating a theme involves creating the theme directory and writing skin files (and possibly javascript and CSS files). The name of skin files must be terminated with .skin. The format of skin files are the same as that of control template files. Since skin files do not define parent-child presentational relationship among controls, you cannot place a component tag within another. And any static texts between component tags are discarded. To define the aforementioned 'Blue' skin for TButton, write the following in a skin file,

-- cgit v1.2.3