Wednesday, 16 April 2014 19:38
beggarly

Error in class name and unescaped output

Report Xmap bugs on this forum.

Error in class name and unescaped output

Postby fedefil » Thu Oct 18, 2007 2:32 pm

Hi,

I'm in the process of migrating my sites from Joomla 1.0.13 to 1.5RC3 and I just tried Xmap as a replacement for Joomap (still incompatible).

I noticed a couple of bugs I hope you can fix in the next release of Xmap.

First, the class name for top level tags is "level_" instead of "level_0".
I inspected the code and saw that you actually pass an empty string to XmapHtml::getHtmlList as the third argument, hence the resulting wrong class name.
I think you should explicitly pass '0' or leave the argument empty (in this case, it must be the rightmost in the argument list, otherwise it cannot be omitted).

Second, you should properly escape the output when inserting strings from the database.
For ex., when you use $node->name when building the anchor tags you should always use the htmlspecialchars function to avoid invalid markup (I have some menu title containing double quote characters).

I'd also like to suggest a few improvements to Xmap (sorry if I'm OT here).

First, please make possible to deactivate the default stylesheet (I know I can simply comment or blank it out in the backend, but I also do not want it linked in the HTML header by default when showing the component).

Second, in case you rewrite Xmap for full compatibility with Joomla 1.5!, please consider adding full template support, so that all HTML output can be overridden (for ex., I'd like to be able to output the component title as a title instead of a tag).

Thanks for your attention.

Federico
fedefil
Fresh Boarder
Fresh Boarder
 
Posts: 3
Joined: Thu Oct 18, 2007 12:59 pm

Re:Error in class name and unescaped output

Postby guilleva » Thu Oct 18, 2007 11:10 pm


First, the class name for top level tags is "level_" instead of "level_0".


This is already fixed on the development version. (To be released soon)


Second, you should properly escape the output when inserting strings from the database.

Right! I will do it ;)!

First, please make possible to deactivate the default stylesheet (I know I can simply comment or blank it out in the backend, but I also do not want it linked in the HTML header by default when showing the component).

Yes, that's true! Added to "TODO list"!

Second, in case you rewrite Xmap for full compatibility with Joomla 1.5!, please consider adding full template support, so that all HTML output can be overridden (for ex., I'd like to be able to output the component title as a title instead of a tag).

Ok, I'm going to have that in mind!

Thanks for your attention.


Thanks you for your comments!
User avatar
guilleva
Administrator
Administrator
 
Posts: 1527
Joined: Wed Sep 12, 2007 3:10 am
Location: San José, Costa Rica

Re:Error in class name and unescaped output

Postby fedefil » Tue Nov 27, 2007 3:58 pm

Proper output escaping still missing in 1.0.4.
fedefil
Fresh Boarder
Fresh Boarder
 
Posts: 3
Joined: Thu Oct 18, 2007 12:59 pm


Return to Bugs



Who is online

Users browsing this forum: Yahoo [Bot] and 1 guest