The Author Online Book Forums are Moving

The Author Online Book Forums will soon redirect to Manning's liveBook and liveVideo. All book forum content will migrate to liveBook's discussion forum and all video forum content will migrate to liveVideo. Log in to liveBook or liveVideo with your Manning credentials to join the discussion!

Thank you for your engagement in the AoF over the years! We look forward to offering you a more enhanced forum experience.

StephenFriedrich (18) [Avatar] Offline
#1
Chapter 10 (Charts) should mention right on the first page that Flash is needed to display charts.
For us (and probably many others) this makes the ExtJS charting features completely useless: Company policy forbids the usage of Flash.

Currently the chapter text can even be interpreted as meaning that flash is not necessary at all:
> What makes Charts in the framework so cool is that you need not have any
> Flash experience to get this stuff to work for you.
> As we’ll see, everything will be done via JavaScript.

I really don't get why such an important features isn't implemented in pure JavaScript (using maybe Raphaël as foundation technology).

A general remark about the book: IMHO quite a lot of anecdotes and sales pitches could be removed to make it more concise. After all this in an "in Action" book, right?

Rather I would like to hear about ExtJS's rough edges. (For example just this week I was perplexed to note that the default grid cell renderer leaves the door wide open to XSS attacks).
jesus.garcia (463) [Avatar] Offline
#2
Re: Charts Need Flash!
Hi Stephen,

Thanks for the feedback.

Are you saying that the text is not accurate? Is flash experience necessary? Not having flash experience and not having flash are two different things in my opinion. But, I will look to make it much cleaner. Thanks for your interpretation.

Regarding the sales pitch, I will work to tone that stuff down, but those are my feelings. I think they are cool. <shrugs>

Regarding security, how does the cell renderer leave the door open to XSS attacks? It is just spitting out data. Your back end should be removing script tags injected into forms.
StephenFriedrich (18) [Avatar] Offline
#3
Re: Charts Need Flash!
Thanks for the quick answer.

No, I am not saying that the text is incorrect, just very easy to misunderstand if you you are not already familiar with charting.
It is missing a statement that using ExtJS's charting requires each client browser to have flash installed.

BTW: I am absolutely with you: ExtJS is the coolest technology I used for the last couple of years smilie

I don't really want to go into the discussion again (see the lengthy ExtJS forum discussion) which part of the system should be responsible to prevent XSS attacks, but can't help making a couple of remarks:
The point is exactly that the cell renderer is not only "spitting out data" - it can be misused to spit out code.
I was coming from Java Server Faces (conceptually surprisingly similar to ExtJS) where every output that is made by JSF components is escaped unless escape="false" is explicitly added. There is absolutely no harm done by this strategy and it is much safer by default.
The XSS prevention cheat sheet from the OWASP project (arguably the authority on this issue) names output encoding as "rule #1" (there's a rule #0 saying that you should inject dynamic text only to defined location): http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#Escaping_.28aka_Output_Encoding.29
Anyway, I think adding a prominent note somewhere (to the grid/tree chapters?) is a good idea:
Note:
ExtJS by default does not encode data in a grid cell.
When the data comes from any untrusted source (such as user input) then to prevent XSS attacks you must scrub the data on the server side and/or use a custom renderer that escapes the data prior to rendering.
jesus.garcia (463) [Avatar] Offline
#4
Re: Charts Need Flash!
I'll add a note to the charting section, where I'll state that flash is required and version as well.