Timeline - data does not change; but quotes does.

[tony.herstell]

Hi Team,
I found an interesting "feature" on Timeline (PF10).
I had a string for the object in the Timeline and the data being displayed had quotes.
F12 to see why the page just died (as nothing in logs) and sure enough; the console reported an error... the offending quote was highlighted in the timeline variable which broke the page render.

Now;
The tooltip had replaced the quote with someting more useful; but the data had not been sanitised.
As the data is just an "object" then I can see why it would not have been sanitsed; but, perhaps, for convience (and to help debugging) it may be "convinient" to check if the object has any strings (or is just a string as in my case) and apply the same sanitiser as the tooltip... as this would seem to be consistent anyhow.

Just a suggestion.

Tony

[Melloware]

If you can create a Primefaces Test reproducer and report it on GitHub issues page we can take a look at it. I am not quite sure what the problem is but it sounds like something is not being escaped properly.

[tony.herstell]

I hope this is clearer:

In creating a primefaces timeline:

e.g.

Code: Select all

<p:timeline id="timeline" value="#{basicTimelineView.model}"
...
model.add(TimelineEvent.<String>builder()
.data("PrimeUI 1.1")                          <-- NOT Escaped
.title("Prime for JSF rocks")              <-- Escaped
.startDate(LocalDate.of(2014, 6, 12))
.build());

picking up data from DB was picking up
[Prime ]
[Faces "] <-- broke the page render! - nothing in logs on server -- had to F12 and look at javascript console
[Rocks ]
and putting it in the
.data
.title
part

.data (expected to be an "object") is not escaped
.tooltip (expected to be a string) is escaped

It was a gotchya....

My suggestion was, to stop the common case being a prolem, do an instanceof() on the data and use the sanitiser on any strings.

It's not a bug... its a feature request.