Mercurial > urweb
annotate tests/dynClass.ur @ 1710:540df112ff62
Remove string-valued style attribute, which may allow injection attacks
| author | Adam Chlipala <adam@chlipala.net> |
|---|---|
| date | Sun, 15 Apr 2012 12:40:53 -0400 |
| parents | b0720700c36e |
| children | acadf9d1214a |
| rev | line source |
|---|---|
| adam@1643 | 1 style s1 |
| adam@1643 | 2 style s2 |
| adam@1643 | 3 |
| adam@1643 | 4 fun main () : transaction page = |
| adam@1643 | 5 src <- source s1; |
| adam@1643 | 6 s <- source ""; |
| adam@1643 | 7 toggle <- source False; |
| adam@1643 | 8 return <xml> |
| adam@1643 | 9 <head> |
| adam@1643 | 10 <link rel="stylesheet" type="text/css" href="http://localhost/test.css"/> |
| adam@1643 | 11 </head> |
| adam@1643 | 12 <body> |
| adam@1643 | 13 <button dynClass={signal src} onclick={set src s2}/> |
| adam@1643 | 14 |
| adam@1643 | 15 <hr/> |
| adam@1643 | 16 |
| adam@1643 | 17 <ctextbox source={s} dynClass={t <- signal toggle; |
| adam@1643 | 18 return (if t then s1 else s2)} |
| adam@1643 | 19 onkeyup={fn _ => t <- get toggle; set toggle (not t)}/> |
| adam@1643 | 20 </body> |
| adam@1643 | 21 </xml> |