Closed heyarny closed 8 years ago
Yes, thats why I'd suggest to separate both. Status text and response text. Right now I have no way to find out the status text or get raw response object to create my own style of response.
On Sun, May 11, 2014 at 7:12 PM, Manuel Carrasco notifications@github.comwrote:
The problem is that StatusText normally does not have enough information, just the HTTP error wording.
The security issue is only in the case you show that string in a html element without satinizing the content. Normally you have to use something like SafeHtmlUtils.htmlEscape before showing that text, or to use GQuery.text(htmlstring) instead of GQuery.html(htmlstring)
— Reply to this email directly or view it on GitHubhttps://github.com/gwtquery/gwtquery/issues/283#issuecomment-42776450 .
Hi Arnold,
Could you please open an issue on github for that. We will continue to discuss about this on that issue.
Thanks,
Julien
On Sun, May 11, 2014 at 7:31 PM, Arnold notifications@github.com wrote:
Yes, thats why I'd suggest to separate both. Status text and response text. Right now I have no way to find out the status text or get raw response object to create my own style of response.
On Sun, May 11, 2014 at 7:12 PM, Manuel Carrasco notifications@github.comwrote:
The problem is that StatusText normally does not have enough information, just the HTTP error wording.
The security issue is only in the case you show that string in a html element without satinizing the content. Normally you have to use something like SafeHtmlUtils.htmlEscape before showing that text, or to use GQuery.text(htmlstring) instead of GQuery.html(htmlstring)
— Reply to this email directly or view it on GitHub< https://github.com/gwtquery/gwtquery/issues/283#issuecomment-42776450> .
— Reply to this email directly or view it on GitHubhttps://github.com/gwtquery/gwtquery/issues/283#issuecomment-42777143 .
Julien this is already an issue.
On Mon, May 12, 2014 at 9:44 AM, Julien Dramaix notifications@github.comwrote:
Hi Arnold,
Could you please open an issue on github for that. We will continue to discuss about this on that issue.
Thanks,
Julien
On Sun, May 11, 2014 at 7:31 PM, Arnold notifications@github.com wrote:
Yes, thats why I'd suggest to separate both. Status text and response text. Right now I have no way to find out the status text or get raw response object to create my own style of response.
On Sun, May 11, 2014 at 7:12 PM, Manuel Carrasco notifications@github.comwrote:
The problem is that StatusText normally does not have enough information, just the HTTP error wording.
The security issue is only in the case you show that string in a html element without satinizing the content. Normally you have to use something like SafeHtmlUtils.htmlEscape before showing that text, or to use GQuery.text(htmlstring) instead of GQuery.html(htmlstring)
— Reply to this email directly or view it on GitHub< https://github.com/gwtquery/gwtquery/issues/283#issuecomment-42776450> .
— Reply to this email directly or view it on GitHub< https://github.com/gwtquery/gwtquery/issues/283#issuecomment-42777143> .
— Reply to this email directly or view it on GitHubhttps://github.com/gwtquery/gwtquery/issues/283#issuecomment-42803910 .
Ooops sorry :-) I read all my mails after three days off and I thought it was a discussion on the mailing list
This issue as no activity since more than a year. Feel free to reopen if it is still needed.
I just switched to Ajax from RequestBuilder and found that Ajax is creating an exception appending the response text which may contain HTML tags and may lead to security issues.
I've modified the com.google.gwt.query.client.plugins.deferred.PromiseReqBuilder to have a clean text-only status-text exception. I'd even suggest to separate the exception and textResponse (if needed at all) and let the client decide which argument is best for his needs.