On Thu, 2010-12-02 at 17:12 +0000, Gavin Panella wrote:
> Review: Approve
> Hi Curtis. Some incredibly minor comments, +1.
>
>
> [1]
>
> js = js_template % simplejson.dumps(args)
> # If the YUI widget or javascript is not supported in the browser,
> # it will degrade to being this "Find..." link instead of the
> @@ -154,8 +163,7 @@
> css = ''
> return ('<span class="%s">(<a id="%s" href="/people/">'
> 'Find…</a>)</span>'
> - '\n<script>\n%s\n</script>'
> - ) % (css, self.show_widget_id, js)
> + '\n<script>\n%s\n</script>') % (css, self.show_widget_id, js)
>
> It's not part of your change, but using simplejson.dumps() can be
> hazardous for embedding javascript into <script> tags. See:
>
> http://code.google.com/p/simplejson/issues/detail?id=66
>
> Instead the following should be used:
>
> simplejson.dumps(args, cls=simplejson.encoder.JSONEncoderForHTML)
>
> Or:
>
> simplejson.encoder.JSONEncoderForHTML().encode(obj)
Interesting. We cannot do this right now because Lp is using 2.0.9. I
can see it my version of 2.1.1
> [2]
>
> + Y.lp.registry.team.setup_add_member_handler(
> + '${step_title}');
>
> The lack of escaping and all that jazz makes me a little uneasy, but
> it's not user-supplied so I'm not too worried.
This content is in a tal:content rule and is escaped. A single-quote
will break the script. I updated the method to escape quotes and added a
test.
> [5]
>
> + return 'Search for a restricted or moderated team or person'
>
> This could be parsed as:
>
> Search for a (restricted or moderated) (team or person)
>
> Perhaps the following would be less ambiguous:
>
> Search for a restricted team, a moderated team, or a person
We have not changed the policies in 5 years. I do not think we will be
adding other policies. If I am wrong, we may need to update the proposed
revision. Since this issue is about OPEN, I think the clause should
remain as is.
On Thu, 2010-12-02 at 17:12 +0000, Gavin Panella wrote: dumps(args) </a>)</ span>' \n%s\n< /script> ' widget_ id, js) \n%s\n< /script> ') % (css, self.show_ widget_ id, js) code.google. com/p/simplejso n/issues/ detail? id=66 dumps(args, cls=simplejson. encoder. JSONEncoderForH TML) encoder. JSONEncoderForH TML().encode( obj)
> Review: Approve
> Hi Curtis. Some incredibly minor comments, +1.
>
>
> [1]
>
> js = js_template % simplejson.
> # If the YUI widget or javascript is not supported in the browser,
> # it will degrade to being this "Find..." link instead of the
> @@ -154,8 +163,7 @@
> css = ''
> return ('<span class="%s">(<a id="%s" href="/people/">'
> 'Find…
> - '\n<script>
> - ) % (css, self.show_
> + '\n<script>
>
> It's not part of your change, but using simplejson.dumps() can be
> hazardous for embedding javascript into <script> tags. See:
>
> http://
>
> Instead the following should be used:
>
> simplejson.
>
> Or:
>
> simplejson.
Interesting. We cannot do this right now because Lp is using 2.0.9. I
can see it my version of 2.1.1
> [2] team.setup_ add_member_ handler(
>
> + Y.lp.registry.
> + '${step_title}');
>
> The lack of escaping and all that jazz makes me a little uneasy, but
> it's not user-supplied so I'm not too worried.
This content is in a tal:content rule and is escaped. A single-quote
will break the script. I updated the method to escape quotes and added a
test.
> [3] team_cannot_ be_a_member_ or_a_closed_ team(self) :
>
> + def test_open_
>
> s/or/of/
fixed
> [4] team_can_ be_a_member_ or_an_open_ team(self) :
>
> + def test_open_
>
> s/or/of/
fixed
> [5]
>
> + return 'Search for a restricted or moderated team or person'
>
> This could be parsed as:
>
> Search for a (restricted or moderated) (team or person)
>
> Perhaps the following would be less ambiguous:
>
> Search for a restricted team, a moderated team, or a person
I accept your proposal.
> [6] subscriptionpol icy != TeamSubscriptio nPolicy. OPEN) nPolicy member) instead: subscriptionpol icy, ( nPolicy. RESTRICTED, nPolicy. MODERATED) )
>
> + Person.
>
> Maybe it's worth taking a defensive approach here (to someone adding
> another TeamSubscriptio
>
> In(Person.
> TeamSubscriptio
> TeamSubscriptio
We have not changed the policies in 5 years. I do not think we will be
adding other policies. If I am wrong, we may need to update the proposed
revision. Since this issue is about OPEN, I think the clause should
remain as is.
-- launchpad. net/
__Curtis C. Hovey_________
http://