make marquee code run as safe html

[olu]

I have a marquee code in my database that gets called but been stopped by the unsafe html and i just don't know what to put in the tag ok embed to make it work properly.
Here is the code below:

Code: [Select]

<div id="news" class="default-text" style="background: #000000; top: 309px; left: 948px; width: 219px; height: 208px; margin-top: 40px; margin-left: 12px;">
<p><span style="font-family: &quot;arial&quot;,&quot;sans-serif&quot;; font-size: 10pt;" lang="en-us">    

<marquee behavior="scroll" onmouseover="this.stop()" onmouseout="this.start()" scrolldelay="10" scrollamount="2" direction="up" width="219px" height="208px" align="center" id="mymarquee">
Helloworld this is the advanced marquee onmouseover code.<br />
 you can also put images,links in here..!<br />
 <img src="imagefiles1/logo.jpg" alt="" width="254" height="56" /><br />
 <a href="http://www.everydaywant.com/" target="_self">www.everydaywant.com</a>
</marquee>


<input type="button" value="Pause" onClick="document.getElementById('mymarquee').stop();"/>
<input type="button" value="Continue" onClick="document.getElementById('mymarquee').start();"/>


</span></p>
<p> </p>
</div>

The thing is if i remove this lines below it works, so how do i tell it safe to run this lines.

<input type="button" value="Pause" onClick="document.getElementById('mymarquee').stop();"/>
<input type="button" value="Continue" onClick="document.getElementById('mymarquee').start();"/>
 
and remove

onmouseover="this.stop()" onmouseout="this.start()"

[Bruce]

While the marquee tag is not listed as a "safe" tag (I've added it for 6.48) you read problem here is all the javascript. That will never be safe (since what makes code unsafe _is_ javascript).

there are basically two options; either the code can be made safe (by moving the javascript to a .js file) or nettalk needs to know that you are taking "responsibility" for the code.

So the context matters - where is this code, and how are you injecting it onto the page?

Cheers
Bruce

[olu]

hi Bruce,
     I am writing it in the indexpage in the proceduresetup into a Netwebpage as <!-- Net:x:mainbody --> in the Xhtml

[Bruce]

what is MainBody? A netwebsource procedure?

[olu]

MainBody is just a session variable created like p_web.SSV('MainBody',Loc:mydatafomfile)

[olu]

Hi Bruce
    Please please have you any idea how to get round this problem

[Bruce]

yes, but I think it needs code on my side to make unsafe html available to you. I'm working on that.

[Bruce]

Hi Olu,

this applies to build 6.49.
I've added a mechanism to "set" Session variables as "unsafe". This is done by using the "picture". So you can do something like this;

  p_web.SSV('whatever','<script> alert("me"); </script>','@U1')

the @U1 is a "picture" - essentially "unsafe 1"

when used as a tag, like you are doing, it will accept that the contents may contain unsafe HTML. Of course you are then responsible to make sure the code does not contain anything nefarious - specifically you should absolutely not set this for any session value that is an "input" on a page.

Cheers
Bruce