In Elements/CollectionAsTable/ParseFormat, along with the code for /TITLE,
/STYLE and /ALIGN, there is code to parse /CLASS and store the value.
But nothing ever reads it

Would the appended patch make sense? (Against 3.6.4)
With this I can tweak the format to set classes, which allows CSS to
reference particular

Nicholas Clark

Index: html/Elements/CollectionAsTable/Row
RCS file: /export/cvsroot/rt-external/html/Elements/CollectionAsTable/Row,v
retrieving revision 1.1.1.2
diff -p -u -r1.1.1.2 Row
— html/Elements/CollectionAsTable/Row 1 Aug 2007 15:56:53 -0000 1.1.1.2
+++ html/Elements/CollectionAsTable/Row 20 Aug 2007 11:02:13 -0000
@@ -71,7 +71,8 @@ foreach my $column (@Format) {
next;
}
$item++;

• $m->out(’<td class=“collection-as-table” ');

• my $class = $column->{class} || ‘collection-as-table’;
• $m->out(qq{<td class="$class" });
  $m->out( ‘align="’ . $column->{align} . ‘"’ ) if ( $column->{align} );
  $m->out( ‘style="’ . $column->{style} . ‘"’ ) if ( $column->{style} );
  $m->out(’>’);

In Elements/CollectionAsTable/ParseFormat, along with the code for /
TITLE,
/STYLE and /ALIGN, there is code to parse /CLASS and store the value.
But nothing ever reads it

Would the appended patch make sense? (Against 3.6.4)
With this I can tweak the format to set classes, which allows CSS to
reference particular s

Before you commit this, can you make sure that $class gets properly
escaped? so that users cant’ inject javascript and the like?

PGP.sig (186 Bytes)

as well it may be better to join classes instead of replacing.On 8/20/07, Jesse Vincent jesse@bestpractical.com wrote:

On Aug 20, 2007, at 11:55 AM, Nicholas Clark wrote:

In Elements/CollectionAsTable/ParseFormat, along with the code for /
TITLE,
/STYLE and /ALIGN, there is code to parse /CLASS and store the value.
But nothing ever reads it

Would the appended patch make sense? (Against 3.6.4)
With this I can tweak the format to set classes, which allows CSS to
reference particular s

Before you commit this, can you make sure that $class gets properly
escaped? so that users cant’ inject javascript and the like?

Nicholas Clark

Index: html/Elements/CollectionAsTable/Row

RCS file: /export/cvsroot/rt-external/html/Elements/
CollectionAsTable/Row,v
retrieving revision 1.1.1.2
diff -p -u -r1.1.1.2 Row
— html/Elements/CollectionAsTable/Row 1 Aug 2007 15:56:53 -0000
1.1.1.2
+++ html/Elements/CollectionAsTable/Row 20 Aug 2007 11:02:13 -0000
@@ -71,7 +71,8 @@ foreach my $column (@Format) {
next;
}
$item++;

• $m->out('<td class=“collection-as-table” ');

• my $class = $column->{class} || ‘collection-as-table’;
• $m->out(qq{<td class=“$class” });
  $m->out( ‘align="’ . $column->{align} . ‘"’ ) if ( $column->
  {align} );
  $m->out( ‘style="’ . $column->{style} . ‘"’ ) if ( $column->
  {style} );
  $m->out(‘>’);

---

List info: lists.bestpractical.com Mailing Lists
rt-devel

---

List info: The rt-devel Archives

Best regards, Ruslan.

as well it may be better to join classes instead of replacing.

• $m->out('<td class=“collection-as-table” ');

• my $class = $column->{class} || ‘collection-as-table’;
• $m->out(qq{<td class=“$class” });

I wasn’t sure about that. I initially had the code appending to the class,
but it occurred to me that then there wasn’t a way to take out
‘collection-as-table’ if you wanted to do that. Whereas this way, you can
add it in if you also need it.

Nicholas Clark

as well it may be better to join classes instead of replacing.

• $m->out('<td class=“collection-as-table” ');

• my $class = $column->{class} || ‘collection-as-table’;
• $m->out(qq{<td class=“$class” });

I wasn’t sure about that. I initially had the code appending to the class,
but it occurred to me that then there wasn’t a way to take out
‘collection-as-table’ if you wanted to do that. Whereas this way, you can
add it in if you also need it.

Done (my way for now) as revision 8669. Please change it if necessary.

I attempted to make a patch to counter potential XSS problems with /ALIGN
and /STYLE, but couldn’t manage to be sure that it was working so didn’t
commit it. (Couldn’t actually craft a query string that would parse correctly,
and I am under severe time pressure, so I can’t stop to resolve this. Sorry)

I’ve appended the patch - I think that it is correct, but I can’t prove it.

Nicholas Clark

Index: html/Elements/CollectionAsTable/Row
— html/Elements/CollectionAsTable/Row (revision 8669)
+++ html/Elements/CollectionAsTable/Row (working copy)
@@ -75,8 +75,12 @@
my $class = $column->{class}
? encode_entities($column->{class}, q{'“&<>}) : ‘collection-as-table’;
$m->out(qq{<td class=”$class" });

• $m->out( ‘align="’ . $column->{align} . ‘"’ ) if ( $column->{align} );
• $m->out( ‘style="’ . $column->{style} . ‘"’ ) if ( $column->{style} );

• if ( $column->{align} ) {

•    $m->out( 'align="' . encode_entities( $column->{align}, q{'"&<>} ) . '"' ) ;
  

• }
• if ( $column->{style} ) {

•    $m->out( 'style="' . encode_entities( $column->{style}, q{'"&<>} ) . '"' ) ;
  

• }
  $m->out(‘>’);
  foreach my $subcol ( @{ $column->{output} } ) {
  if ( $subcol =~ /^(.*?)$/o ) {

as well it may be better to join classes instead of replacing.

• $m->out('<td class=“collection-as-table” ');

• my $class = $column->{class} || ‘collection-as-table’;
• $m->out(qq{<td class=“$class” });

I wasn’t sure about that. I initially had the code appending to
the class,
but it occurred to me that then there wasn’t a way to take out
‘collection-as-table’ if you wanted to do that. Whereas this way,
you can
add it in if you also need it.

Done (my way for now) as revision 8669. Please change it if necessary.

I attempted to make a patch to counter potential XSS problems with /
ALIGN
and /STYLE, but couldn’t manage to be sure that it was working so
didn’t
commit it. (Couldn’t actually craft a query string that would parse
correctly,
and I am under severe time pressure, so I can’t stop to resolve
this. Sorry)

I’ve appended the patch - I think that it is correct, but I can’t
prove it.

+1. Go for it.

PGP.sig (186 Bytes)