annotate tests/dynClass.ur @ 1710:540df112ff62

Remove string-valued style attribute, which may allow injection attacks
author Adam Chlipala <adam@chlipala.net>
date Sun, 15 Apr 2012 12:40:53 -0400
parents b0720700c36e
children acadf9d1214a
rev   line source
adam@1643 1 style s1
adam@1643 2 style s2
adam@1643 3
adam@1643 4 fun main () : transaction page =
adam@1643 5 src <- source s1;
adam@1643 6 s <- source "";
adam@1643 7 toggle <- source False;
adam@1643 8 return <xml>
adam@1643 9 <head>
adam@1643 10 <link rel="stylesheet" type="text/css" href="http://localhost/test.css"/>
adam@1643 11 </head>
adam@1643 12 <body>
adam@1643 13 <button dynClass={signal src} onclick={set src s2}/>
adam@1643 14
adam@1643 15 <hr/>
adam@1643 16
adam@1643 17 <ctextbox source={s} dynClass={t <- signal toggle;
adam@1643 18 return (if t then s1 else s2)}
adam@1643 19 onkeyup={fn _ => t <- get toggle; set toggle (not t)}/>
adam@1643 20 </body>
adam@1643 21 </xml>