From 4e92e78b70299854205294ee43f056bda619e4db Mon Sep 17 00:00:00 2001
From: "ctrlaltca@gmail.com" <>
Date: Mon, 26 Mar 2012 10:10:51 +0000
Subject: added some documentation for the changes introduced to fix #391
---
framework/TComponent.php | 54 ++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 52 insertions(+), 2 deletions(-)
(limited to 'framework')
diff --git a/framework/TComponent.php b/framework/TComponent.php
index e413aebc..e0afac44 100644
--- a/framework/TComponent.php
+++ b/framework/TComponent.php
@@ -35,6 +35,31 @@
* in the format of concatenated words, with the first letter of each word
* capitalized (e.g. DisplayMode, ItemStyle).
*
+ * Since Prado 3.2 a new class of javascript-friendly properties have been introduced
+ * to better deal with potential security problems like cross-site scripting issues.
+ * All the data that gets sent clientside inside a javascript block is now encoded by default.
+ * Sometimes there's the need to bypass this encoding and be able to send raw javascript code.
+ * This new class of javascript-friendly properties are identified by their name
+ * starting with 'js' (case insensitive):
+ *
+ * // getter, defines a readable property 'Text'
+ * function getJsText() { ... }
+ * // setter, defines a writable property 'Text', with $value being the value to be set to the property
+ * function setJsText(TJavaScriptLiteral $value) { ... }
+ *
+ * Js-friendly properties can be accessed using both their Js-less name and their Js-enabled name:
+ *
+ * // set some simple text as property value
+ * $component->Text = 'text';
+ * // set some javascript code as property value
+ * $component->JsText = 'raw javascript';
+ *
+ * In the first case, the property value will automatically gets encoded when sent
+ * clientside inside a javascript block.
+ * In the second case, the property will be 'marked' as being a safe javascript
+ * statement and will not be encoded when rendered inside a javascript block.
+ * This special handling makes use of the {@link TJavaScriptLiteral} class.
+ *
* An event is defined by the presence of a method whose name starts with 'on'.
* The event name is the method name and is thus case-insensitive.
* An event can be attached with one or several methods (called event handlers).
@@ -955,8 +980,25 @@ class TComponentReflection extends TComponent
/**
* TJavaScriptLiteral class that encloses string literals that are not
- * supposed to be escaped by TJavaScript::encode()
+ * supposed to be escaped by {@link TJavaScript::encode() }
+ *
+ * Since Prado 3.2 all the data that gets sent clientside inside a javascript statement
+ * is encoded by default to avoid any kind of injection.
+ * Sometimes there's the need to bypass this encoding and send raw javascript code.
+ * To ensure that a string doesn't get encoded by {@link TJavaScript::encode() },
+ * construct a new TJavaScriptLiteral:
+ *
+ * // a javascript test string
+ * $js="alert('hello')";
+ * // the string in $raw will not be encoded when sent clientside inside a javascript block
+ * $raw=new TJavaScriptLiteral($js);
+ * // shortened form
+ * $raw=_js($js);
+ *
*
+ * @version $Id$
+ * @package System
+ * @since prado 3.2
*/
class TJavaScriptLiteral
{
@@ -978,10 +1020,18 @@ class TJavaScriptLiteral
}
}
+/**
+ * TJavaScriptString class is an internal class that marks strings that will be
+ * forcibly encoded when rendered inside a javascript block
+ *
+ * @version $Id$
+ * @package System
+ * @since prado 3.2
+ */
class TJavaScriptString extends TJavaScriptLiteral
{
public function toJavaScriptLiteral()
{
return TJavaScript::jsonEncode((string)$this->_s,JSON_HEX_QUOT | JSON_HEX_APOS | JSON_HEX_TAG);
}
-}
\ No newline at end of file
+}
--
cgit v1.2.3