[Borges-users] Patches, Proposals: Patch for current CVS

Eric Hodel drbrain at segment7.net
Thu Apr 1 06:55:49 EST 2004 

Kaspar Schiess (eule at space.ch) wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello all, Hello Eric,
> 
> I would like to propose a few changes to the current Borges CVS; I will
> comment on the ones that I am not sure that they are obvious:

I'll do my best to comment on these, but it'd be easier if there was one
email per issue.  It also makes it easier to commit the patches I
accept right away.

> a) Introduction of text_area_on analoguous to text_input_on.

Ok.

> b) Security patch to input type=* value=... and to text_area: Values
> always should be html encoded; if they are not, user can terminate tag
> and include javascript into the page. This has happened on major online
> forums; It is (from my point of view) unneccessary to give the Borges
> user a choice about encoding these values, because not doing so is
> always a security risk.

Ok.

Seaside's #text now encodes the text be default.  I'd like to do this as
well.  Could this problem be solved in a more general way by simply
encoding all attribute values?

> c) Introduction of more verbous error output if Borges cannot find a
> continuation to call.

Ok, tentatively.  When do you run into this problem?

> d) Some paragraphs readded (for better lisibility of output) in new
> style paragraphing.

This will generate invalid HTML, since <form> is a block element,
<p><form>...</form></p> will throw a validation error on the unopened
<p>.

Browsers will parse this as:

<p></p>

<form>...</form>

</p><!-- error! -->

For the pages where it is a problem, a CSS/fieldset solution will
probably fit better.

> e) Borges::Path should now work. Can anyone explain to me how to use
> this properly ?

Ugh, it suffers from being to Smalltalkish.  I can clean up your patch,
too.

I think you can use Borges::Path for breadcrumbs.

> f) Borges::Window should now work. This will 'open' a Window that can be
> closed at will.

Excellent.

> g) Introduction of 'HtmlRenderer#action': like 'default_action', but
> action will always be executed (not just last one defined). Helps in
> developing render extensions that do complex things and need to
> integrate the borges way. I have built a custom component that renders
> complex forms and stores them as YAML string to the backend: UI candy
> without the DB hassle. So I would really like this to be in Borges.

Ok.

> These changes are implemented in attached patch to today's CVS. I will
> gladly produce seperate patches if anyone does want a subset of these
> changes.

Please.

> I also attach the current variant of the user documentation I am
> maintaining at interim (until we find a better way to do it). Some small
> changes, plus adaptations to new CVS code.

Ugh, I have yet to look at these.  Still working towards it.

> diff -u -r ../borges-patch/./lib/Borges/Component/Path.rb ./lib/Borges/Component/Path.rb
> --- ../borges-patch/./lib/Borges/Component/Path.rb	Thu Nov 27 10:13:03 2003
> +++ ./lib/Borges/Component/Path.rb	Thu Mar 25 15:52:51 2004
>    def render_content_on(r)
>      return self if @stack.empty?
>  
> -    r.divNamed_with('path', proc do
> -      @stack.allButLast.each do |assoc|
> -        r.anchorWithAction_text(proc do
> +    r.css_class('path')
> +    r.div do

Please use #div_with_class divs with a CSS class.

> +      (0... at stack.size-1).each do |i|
> +	assoc = @stack[i]
> +	r.anchor(assoc[1]) do 
>            self.choose(assoc)
> -        end, assoc.key)
> +	end

> diff -u -r ../borges-patch/./lib/Borges/HTML/HtmlBuilder.rb ./lib/Borges/HTML/HtmlBuilder.rb
> --- ../borges-patch/./lib/Borges/HTML/HtmlBuilder.rb	Sun Mar 21 02:13:24 2004
> +++ ./lib/Borges/HTML/HtmlBuilder.rb	Thu Mar 25 16:41:32 2004
> @@ -80,15 +80,28 @@
>    def element_id(e_id)
>      @attributes[:id] = e_id
>    end
> -
> +  

Ack! Trailing whitespace!

>    ##
>    # Escapes +char+ and adds it to the document.
> -
> +  
> diff -u -r ../borges-patch/./lib/Borges/HTML/HtmlRenderer.rb ./lib/Borges/HTML/HtmlRenderer.rb
> --- ../borges-patch/./lib/Borges/HTML/HtmlRenderer.rb	Sun Mar 21 02:06:54 2004
> +++ ./lib/Borges/HTML/HtmlRenderer.rb	Thu Mar 25 16:55:44 2004
> @@ -232,9 +240,18 @@
>  
>      @attributes[:name] = @callbacks.register_callback(&callback)
>      open_tag(:textarea)
> -    render(value)
> +    render(encode_string(value))

Can encode_text(value) be used instead here?

>      close
>    end

-- 
Eric Hodel - drbrain at segment7.net - http://segment7.net
All messages signed with fingerprint:
FEC2 57F1 D465 EB15 5D6E  7C11 332A 551C 796C 9F04

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://rubyforge.org/pipermail/borges-users/attachments/20040401/3642b0b6/attachment.bin

More information about the Borges-users mailing list