0

Hi I'm looking to use vis.js and some other frameworks to display information. I thought a quick way (using what is available) to inject the required javascript in to a page would be the "format string" add-on. Basically, I've set up a non persisted entity that has a "html" (unlimited string). This property is adjusted by microflow(s) to build the required html (or should I say <script> code) to set-up the required JS to interact with the libraries. Incidentally, as a quick hack I'm using the htmlSnippet add-on to include the libraries on particular pages (there is probably a better way, but I'm just trying to get something working). Any hoo, the Format String seems to be happy injecting HTML but not "<script>" tag enclosures (XHTML or some other validation/rejection going on?). You just end up with the script code and html placed on the page literally (and before you ask, yes I have set the format string to render as HTML). Works fine provided there isn't a <script> tag in the content. Very frustrating as without getting in to widget development I can't easily see or find a way of dynamically injecting page content? Any help / support greatly appreciated! Update 28-4-2015 I've had a browse through the format string project on github and have found the code escaping content with script tags in it. if (string.indexOf("<script") > -1 || !renderAsHTML) { string = dom.escapeString(string); } So that explains why it is doing it. Not sure why this is there though? Security concerns perhaps. Is there another add-on ./ way I could use (avoiding fork / dev of new widget).

asked 2016-04-27

1 answers