We are pleased to announce the availability of Servoy 8.1.1 (releasenumber 3029)
This version is available through the download at the Servoy website
and through the update site url: http://download.servoy.com/developer/8xx_updates/
Fixes and improvements in this release:
See also for more info about the XSS security stuff: this page
Some extra bug fixes and performance improvements are done for this release compared to the 8.1.1RC:
issues fixed see our wiki: https://wiki.servoy.com/display/DOCS/8.1.1
Previous release notes of 8.1.1RC: this page
I have upgraded to V8.1.1 and have read the stuff on XSS but am struggling to get an element that contains some Javascript to display in NG Client. The wiki says that to allow elements that contain HTML to be shown “as-is” we need to add a client property to the element using code similar to:
elements.usernameLabel.putClientProperty(APP_UI_PROPERTY.TRUST_DATA_AS_HTML, true);
The problem I am having is that the element that contains my Javascript is a Bootstrap label and developer is giving a warning saying that putClientProperty is not defined for the type bootstrap components-label. Anyone any idea how I can get my Javascript to run (it is a site seal showing that our site is secure and is supplied by the SSL issuer)?
Thanks
If it works and you just want to get rid of the warning try this:
elements.usernameLabel[“putClientProperty”](APP_UI_PROPERTY.TRUST_DATA_AS_HTML, true);
Unfortunately it doesn’t seem to work - I am going to try and set the application level property just to see if that solves the issue and go from there.
Steve
i am testing this now and what are the properties you set on a bootstrap label?
because the normal label (labelFor == false) has a security issue right now because it will execute javascript (trust all html) by default…
if you use it in labelFor property set to true then that one is the opposite it never allows javascript to be executed (no matter what property is set)
what i don’t fully understand is what you are trying to fix here
Because pre 8.1.1 the bootstrap label even never was trusting the html. We did what angular does by default (and thats sanitizing the html)
only with the 8.1.1 release we added code to the bootstrap label which would also allow javascript and so on to be executed. (and that was working “to good”)
so what does your usernameLabel really do? What is the text value ? That is html with javascript?
I am trying to create an equivalent of our current web client login form using the sampleCrm_login solution as a guide. Having just looked at the original code in order to try an give a good example here I can see that my original information was incorrect. I was under the impression that we had used a label component to display the site seal but it is in fact an HTML_AREA. My confusion came from bad naming by the original developer who had named the object lblSiteSeal! I was trying to recreate the component using a bootstrap label with the text property set to:
<span id="siteseal"><script type="text/javascript" src="https://seal.godaddy.com/getSeal?sealID=6fVxIxNOpAEl93gtigOB99OtUbjtoLDAplKFraWT2oBGglmWPUbcqiku45F3"></script></span>
So to clarify:-
Can I use a bootstrap-label component with the text property set to this value and should the javascript be executed? If so how do I flag this particular instance of the component as safe to execute the script? Or do I need to use an HTML_AREA field with a form level data provider as previously?
Sorry for the confusion
Steve
bootstrap label should also just work (for sure the one that is now released)
i will make a new release soon of the bootstrap components that fixes the problem that the above script is always working and then you really need to do:
elements.label_1.putClientProperty(APP_UI_PROPERTY.TRUST_DATA_AS_HTML, true);
before that will work. (this put property should be done as soon as possible so in the onload)
That will give a javascript warning because putClientProperty is not seen as a valid method to call on a webcomponent (for this you can create case so we can add that to the code completion and validation)
so you can use a bootstrap label or a html area component, but for both you need to specify that you want to execute javascript in the given html
a new release of the bootstrap components is created: https://github.com/Servoy/bootstrapcomp … tag/v1.0.6
Hi Johan,
I have downloaded the new release of the bootstrap components and the seal now shows up perfectly in developer but does not show in the browser when I run the solution! If I inspect the element in the browser it looks like the value of the label is becoming corrupted somehow. In developer I have entered the following for the text property:
<span id="siteseal"><script async type="text/javascript" src="https://seal.godaddy.com/getSeal?sealID=6fVxIxNOpAEl93gtigOB99OtUbjtoLDAplKFraWT2oBGglmWPUbcqiku45F3"></script></span>
But when it is rendered in the browser I can see the following:
<script type="text/javascript" src="https://seal.godaddy.com/getSeal?sealID=6fVxIxNOpAEl93gtigOB99OtUb>jtoLDAplKFraWT2oBGglmWPUbcqiku45F3"></script>
It seems to have a spurious “>” in the middle of the string!
This is the developer image:
[attachment=2]developer.png[/attachment]
This is the browser:
[attachment=1]browser.png[/attachment]
And this is the HTML that is rendered:
[attachment=0]inspecthtml.png[/attachment]
Any ideas?
Thanks
Steve
i can’t reproduce that, also the span of the siteseal is in a really weird place. It should be inside the span that is below that (with ng-class svy-click)
So please make a sample that shows this.
I have just gone to try and create a sample that demonstrates this and everything has now changed again ![:(]( "Sad")
The seal still shows Developer but the browser now has the span in the correct place but it is empty. It will only show in the browser if I add:
elements.lblSiteSeal.putClientProperty(APP_UI_PROPERTY.TRUST_DATA_AS_HTML, true);
to the onLoad event. Should that be the case? It also gives me a warning that putClientProperty is undefined for bootstrapcomponents-label but it works ![:D]( "Very Happy")
Looks like the original problem was sorted by a reboot overnight.
Thanks
Steve
yes that is what you need to do.
you need to tell servoy (or the component) that it should execute the javascript tag. By default that will be filtered out
