I think that <os:Render /> with out specifying the content is not allow."A template may also define locations to render custom blocks of content. This is done using the <os:Render> tag and the content block is always identified by the @content attribute" we can not identify the content to render with out @content
Looking at your example I assume that this will be call like<myapp:DisplayCard><div> this is the content I want to render<div><a href="${Top.ProfielUrl}">${Top.TumbnailUrl}</a></myapp:DisplayCard>This will cause a problem with variable evaluation. I can not parse the content inside the <myapp:DisplayCard> to add the variable to My. If I do that I will end with something likeMy.div = "this is the content I want to render<div><a href=\"http://abc.com/profile.html\">http://abc.com/image.gif</a>"Forcing having to parse first the tag and then trying to get content and variables that will complicate a lot the implementation.
I agree with ChrisI don't think is any difference between<script tag="myapp:DisplayCard"><div class="display-card-middle">${My.MiddleContent}</div>
<div class="display-card">
<div class="display-card-top"> </div>
<div class="display-card-bottom"> </div>
</div>
</script>
and<script tag="myapp:DisplayCard"><div class="display-card-middle"><os:Render content="MiddleContent"></div>
<div class="display-card">
<div class="display-card-top"> </div>
<div class="display-card-bottom"> </div>
</div>
</script><myapp:DisplayCard><myapp:MiddleContent><div> this is the content I want to render<div><a href="${Top.ProfielUrl}">${Top.TumbnailUrl}</a></myapp:MiddleContent></myapp:DisplayCard>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "OpenSocial and Gadgets Specification Discussion" group.
To post to this group, send email to opensocial-an...@googlegroups.com
To unsubscribe from this group, send email to opensocial-and-gadg...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/opensocial-and-gadgets-spec?hl=en
-~----------~----~----~----~------~----~------~--~---
--
You received this message because you are subscribed to the Google Groups "OpenSocial and Gadgets Specification Discussion" group.
To post to this group, send email to opensocial-an...@googlegroups.com.For more options, visit this group at http://groups.google.com/group/opensocial-and-gadgets-spec?hl=en.
To unsubscribe from this group, send email to opensocial-and-gadg...@googlegroups.com.
As Chris has pointed out, I am trying to argue it both ways :) That is because I believe custom tags need to be a flexible enough mechanism to do two pretty different things well:
Usually, the two will not clash. That is, even if a "formatting" custom tag takes some parameters as input, it will likely do so in attributes rather than in child nodes: <my:roundedBox color="red"> ... markup ... </my:roundedBox>
- Format content (such as with the rounded borders or Box with Title examples)
- Take structured input in the form of attributes or child nodes
(As an aside, I find such invocation syntax to be much more clear than <tag key="roundedBox"> ... </tag>, but since this is a different proposal, let's not dwell on this)
Much of the added verbosity of Jorge's proposal seems aimed at allowing unambiguous mixing of having content and variables represented as child nodes - a scenario I think will be very rare in real-world usage. I do think it penalizes the simple use cases where there is no ambiguity to begin with.
<foo:Bar>
<div>Dog</div>
<div>Cat</div>
<other>Bird</other>
</foo:Bar>
Looking at the example<foo:Bar><other>Bird</other>
<div>Dog</div>
<div>Cat</div>
</foo:Bar><script .... tag="foo:Bar><os:Render /></script>we will have<div>Dog</div><div>Cat</div><other>Bird</other>other is not a valid html tag
also My will containMy.div = "Cat" (Because we have to divs we have Dog and then it change to Cat)
My.other = "Bird"
we can not know if the container element in <foo:bar> are variables or content.That is why <os:Render> with out @content is not practical
<JsLink action="navigateToNextPage()">Next</JsLink><Template tag="JsLink"><a href="javascript:void()" onclick="${My.action}"><os:Render/></a></Template>
<Expando><Title>This is the title</Title><Content>This is the content</Content></Expando><Template tag="Expando"><div><a href="#" onclick="toggleMimizeState()"><os:Render content="${My.Title}"/></a></div><div class="minimizable"><os:Render content="${My.Content}"/></div></Template>
<TabView><Tab><Title>Title</Title><Content>...</Content></Tab><Tab><Title>Title2</Title><Content>...</Content></Tab></TabView><Template tag="Tabs"><div repeat="${My.Tab}"><os:Render select="${Title}"></div>...</Template>
> I don't believe we need to know this ahead of time.Having this behavior requires the template not be passed not only the
> If the template calls <os:Render>, that is a directive to treat child elements as content.
resolved parameters, but much additional data:
1. Resolved parameters
2. Duplicate copy of each parameter as a string, ordered
3. Duplicate copy of entire set of parameters as a string, ordered.
Invoking a template should be analogous to making a function call. In
function calls, things are evaluated right to left, with parameters
being resolved prior to invoking the function and passing the resolved
parameters into the function.
The way <os:Render> is specified breaks this model of treating
template calls as function calls. As pointed out previously, removal
of <os:Render> does not remove the ability to display markup. The
developer simply makes use of the <os:Html> tag, using the parameter
name as content.
<os:Render> : Displays markup passed in as a parameter to the
template,
running the markup thru the template processor to resolve any
OSML tags.
<os:Html> : Displays markup passed in as a parameter to the
template
WITHOUT running the markup thru the template processor,
subject to restrictions on allowed tags.
Is that more or less accurate? As I look at this, os:Render only
becomes interesting if it ingests markup (that has control tags
embedded) from an external source (ex: markup resulting from an
<os:HttpRequest>). That would allow an external server to feed in
OSML dynamically. Restricting os:Render to markup that is hard-coded
into the gadget definition isn't especially useful, as there are any
number of ways a gadget author could achieve the same behavior as I've
seen so far in all your examples - placing the markup in multiple
custom tag template definitions, creating more granular template
definitions, etc. All those methods allow control structures and
recursive nesting of templates without using this tag.
This also begs the question of why we wouldn't just run all markup
thru the template processor to resolve any OSML markup or custom tags
in every case. The base set of tags is pretty rudimentary, so I don't
see much that would be a security risk. We could disallow dynamic
processing of anything that was a risk (ex: data tags). If there was
a need to allow the author to allow/disallow processing OSML tags,
that could easily be accommodated by an additional attribute on
os:Html (ex: @processOsml="true|false").
Having two tags that are so similar in execution seems unnecessary to
me. In so many scenarios they will evaluate to the same result; we
would be better served by trying to extend <os:Html> to cover the use
cases you feel are currently only satisfied by <os:Render>.
--
clc
> ...
>
> read more »
So if I'm to paraphrase back how Shindig views <os:Render> vs
<os:Html>, the breakdown is as follows:
<os:Render> : Displays markup passed in as a parameter to the
template,
running the markup thru the template processor to resolve any
OSML tags.
<os:Html> : Displays markup passed in as a parameter to the
template
WITHOUT running the markup thru the template processor,
subject to restrictions on allowed tags.
Is that more or less accurate? As I look at this, os:Render only
becomes interesting if it ingests markup (that has control tags
embedded) from an external source (ex: markup resulting from an
<os:HttpRequest>). That would allow an external server to feed in
OSML dynamically. Restricting os:Render to markup that is hard-coded
into the gadget definition isn't especially useful, as there are any
number of ways a gadget author could achieve the same behavior as I've
seen so far in all your examples - placing the markup in multiple
custom tag template definitions, creating more granular template
definitions, etc. All those methods allow control structures and
recursive nesting of templates without using this tag.
This also begs the question of why we wouldn't just run all markup
thru the template processor to resolve any OSML markup or custom tags
in every case. The base set of tags is pretty rudimentary, so I don't
see much that would be a security risk. We could disallow dynamic
processing of anything that was a risk (ex: data tags). If there was
a need to allow the author to allow/disallow processing OSML tags,
that could easily be accommodated by an additional attribute on
os:Html (ex: @processOsml="true|false").
Having two tags that are so similar in execution seems unnecessary to
me. In so many scenarios they will evaluate to the same result; we
would be better served by trying to extend <os:Html> to cover the use
cases you feel are currently only satisfied by <os:Render>.
> ...
>
> read more »
This actually breaks down even further:
* Trusted by developer: (any URI to a site they control)
* Trusted by container: (nothing, other than pre-verified content or
partner content)
* Untrusted
This line of conversation, while germane to the broader security
conversation, takes us off into the woods as far as this topic goes a
little bit.
> However, I'm still in favor of the tags being separate because developers
> need to be aware of the difference between rendering their own markup
> (<os:Render>) and rendering data that may come from 3rd parties (<os:Html>).
As we've argued before, that distinction is far too subtle for most
developers to understand. If left as two tags this will be constantly
mis-applied. An attribute marking the content as "trusted" vs
"untrusted" on a singular tag will be much more obvious for most
users. It also leaves open the issue of what happens when a developer
places untrusted content in an <os:Render> tag. Once content is
received, the originating source is not strongly tracked. Inline
content can, or course, be recognized. But as we've said earlier, it
doesn't really add much in the way of utility if all a developer can
do is hard-code in the content. Passing the same content in to a more
cleverly designed set of templates can generate the same result in
almost any scenario.
> Do you have specific use cases where this might be needed
> over static OSML content?
Not really, but our developer usage patterns involve many apps making
use of an external, trusted server. They often iterate more
frequently on the content under the control of their external server
than that of the core app. Most cases can probably be satisfied with
well-authored templates and static parameters. This argument is
mostly put forth for the sake of completeness WRT the functional
behavior of template gadgets. If you're going to argue hard-coded
content should have this functionality accessible, the same
functionality should also be provided to content pulled dynamically
from an external location.
--
clc
> ...
>
> read more »
The term "trusted source" needs to be explored. The paradigm of our
developers is that they have an external server running a large
portion of their app, which should be considered a "trusted source".
> ...
>
> read more »
So if I'm to paraphrase back how Shindig views <os:Render> vs
<os:Html>, the breakdown is as follows:
<os:Render> : Displays markup passed in as a parameter to the
template,
running the markup thru the template processor to resolve any
OSML tags.
<os:Html> : Displays markup passed in as a parameter to the
template
WITHOUT running the markup thru the template processor,
subject to restrictions on allowed tags.
Is that more or less accurate?
As I look at this, os:Render only
becomes interesting if it ingests markup (that has control tags
embedded) from an external source (ex: markup resulting from an
<os:HttpRequest>). That would allow an external server to feed in
OSML dynamically. Restricting os:Render to markup that is hard-coded
into the gadget definition isn't especially useful, as there are any
number of ways a gadget author could achieve the same behavior as I've
seen so far in all your examples - placing the markup in multiple
custom tag template definitions, creating more granular template
definitions, etc. All those methods allow control structures and
recursive nesting of templates without using this tag.
This also begs the question of why we wouldn't just run all markup
thru the template processor to resolve any OSML markup or custom tags
in every case. The base set of tags is pretty rudimentary, so I don't
see much that would be a security risk. We could disallow dynamic
processing of anything that was a risk (ex: data tags). If there was
a need to allow the author to allow/disallow processing OSML tags,
that could easily be accommodated by an additional attribute on
os:Html (ex: @processOsml="true|false").
Having two tags that are so similar in execution seems unnecessary to
me. In so many scenarios they will evaluate to the same result; we
would be better served by trying to extend <os:Html> to cover the use
cases you feel are currently only satisfied by <os:Render>.
> ...
>
> read more »
On Jan 5, 8:42 am, Lev Epshteyn <le...@google.com> wrote:
> Sorry to jump into this two weeks on - I was away for the holidays and am
> only now catching up...
>
>
>
> On Thu, Dec 17, 2009 at 4:18 PM, goosemanjack <cc...@myspace.com> wrote:
> > So if I'm to paraphrase back how Shindig views <os:Render> vs
> > <os:Html>, the breakdown is as follows:
>
> > <os:Render> : Displays markup passed in as a parameter to the
> > template,
> > running the markup thru the template processor to resolve any
> > OSML tags.
>
> > <os:Html> : Displays markup passed in as a parameter to the
> > template
> > WITHOUT running the markup thru the template processor,
> > subject to restrictions on allowed tags.
>
> > Is that more or less accurate?
>
> I would phrase it differently, as Evan has: <os:Render> deals with markup -
> markup that already exists in the gadget spec, so the security
> considerations are minimal. On the other hand, <os:Html> *creates *markup
> ...
>
> read more »