ezxml and JavaScript

Author Message

Kristof Coomans

Thursday 28 December 2006 5:38:37 am

The ezxml link tag doesn't allow to insert JavaScript. When trying to do so, you will get a validation error:

Using scripts in links is not allowed, link '...' has been removed

What do you think is the best solution to insert JavaScript into an ezxml field?

independent eZ Publish developer and service provider | http://blog.coomanskristof.be | http://ezpedia.org

Paul Forsyth

Thursday 28 December 2006 8:42:13 am

First thought would be a custom tag or within a literal. Though it depends on the use - coding into a template for a custom tag isnt the more practical and i've not tried a literal for js in years (!).

Whats your purpose for the js?

Paul

Kristof Coomans

Thursday 28 December 2006 9:55:23 am

I want to insert bookmarklets (http://en.wikipedia.org/wiki/Bookmarklet ).

independent eZ Publish developer and service provider | http://blog.coomanskristof.be | http://ezpedia.org

Claudia Kosny

Thursday 28 December 2006 3:49:47 pm

Hi Kristof

Can't you just use an onClick attribute?

Claudia

kracker (the)

Thursday 28 December 2006 4:37:55 pm

Use a custom tag!

<i>http://ezpedia.org/wiki/en/ez/custom_tags</i>

There are years of posts about everything you could need to know about custom tags scattered on ez.no

And with the 3.8 release they are simpler to use within the online editor while editing ezxml content object attributes.

//kracker

Member since: 2001.07.13 || http://ezpedia.se7enx.com/

Kristof Coomans

Friday 29 December 2006 1:09:26 am

Thanks for the feedback.

I think the onclick event won't work, since the bookmarklet should be bookmarkable.

I tried a custom tag and that works fine.

Maybe there are still other (and safer) ways to accomplish this. If other users can post on a site then they can also use your custom tag.

Anyone ever used a seperate object containing the JavaScript and embedded that with the embed-inline tag? It sounds overkill but when non-privileged users are not allowed to create or edit the JavaScript objects, then there's no danger for XSS attacks.

independent eZ Publish developer and service provider | http://blog.coomanskristof.be | http://ezpedia.org

kracker (the)

Friday 29 December 2006 1:31:32 am

Why not use a custom tag which does not accept or use user input (via attributes) or content input (inline custom tag)?

//kracker

Member since: 2001.07.13 || http://ezpedia.se7enx.com/

Kristof Coomans

Friday 29 December 2006 2:46:46 am

That's a possibility too. What if I want to add several bookmarklets to an article?

a) I need to add different custom tags for each bookmarklet.
b) I add a switch in the custom tag view template. Depending on a custom tag attribute it inserts the right bookmarklet.

independent eZ Publish developer and service provider | http://blog.coomanskristof.be | http://ezpedia.org

kracker (the)

Friday 29 December 2006 3:22:51 am

What if I want to add several bookmarklets to an article?

a) I need to add different custom tags for each bookmarklet.
b) I add a switch in the custom tag view template. Depending on a custom tag attribute it inserts the right bookmarklet.

 

In response to item, a
- Question: What exactly will differentiate one final rendered bookmarklet code snippet from another from within the same content attribute / document.

In response to item, b
- Question: Why must custom tag attributes be used to insert the right bookmarklet? (Dependant on answer to above)

- Comment: This would go against processing or using user input in the creation of the custom tag / bookmarklet (to prevent security vulnerabilities related to code injection) unless you have a set standard switch cases say of 1,2,3,4 which insert the correct bookmarklet. It just seems to snow ball quickly downhill once you start accepting user input (let alone informing users of accepted input).

- Comment: Because it sounds like a bookmarklet needs a title and a url. the client knows the url and the url's document name. I don't see why your bookmarklet could not be entirely client side js code and avoid this problem entirely. If you have to say pass it a url via js that's simple enough to grab from within the custom tag via the wrap_operator or other method. If you have to say pass it a url document name, say you grab the current document's name + site title from within the custom tag.

- Comment: I still don't see why user input is needed to include a snippet of code which passes your bookmarklet code snippet the needed argument per instance; a name and url detected via php, tpl or js. A good bookmarklet will pop open a browser based dialog with the ability to alter the default name on the client side.

//kracker

It's what I was thinking, I still should not have posted it ..

Member since: 2001.07.13 || http://ezpedia.se7enx.com/

Kristof Coomans

Friday 29 December 2006 3:34:56 am

<b>Question: What exactly will differentiate one final rendered bookmarklet code snippet from another from within the same content attribute / document</b>
Answer: the title and the content of the href attribute. I meant adding different (~several) bookmarklets.

<b>unless you have a set standard switch cases say of 1,2,3,4 which insert the correct bookmarklet</b>
Exactly what I meant with b)

independent eZ Publish developer and service provider | http://blog.coomanskristof.be | http://ezpedia.org

Paul Forsyth

Friday 29 December 2006 5:44:02 am

I've just tried using literal and it seems to work fine.

Paul Forsyth

Friday 29 December 2006 6:20:43 am

Hmmm, it looks like the link does go through but the brackets are mangeld by eZ in the db :(

Tally Amara

Monday 01 January 2007 2:45:27 am

Please tell me how to add Google Analytics to my site.
Thanks,
Tally

Brookins Consulting

Monday 19 November 2007 6:20:49 am

<i>@Tally Amara</i>
<i> > Re: Please tell me how to add Google Analytics to my site.</i>

Hello,

While this conversation has come to a close we would like to add the following note to future forum archive readers searching for a similar solution.

BC Website Statistics is a product (an extension) certified by eZ Systems, supported by Brookins Consulting, and a flexible proven solution for integrating Google Analytics with eZ Publish. This extension has been created to provide eZ Publish customers seeking a complete, ready to use, out-of-the-box solution integrating eZ Publish with the Google Analytics web statistics reporting service.

BC Website Statistics, http://ez.no/products/certified_extensions/bc_website_statistics

Cheers,
Brookins Consulting

eZ Partner | North American Experience
http://brookinsconsulting.com/experience

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.