High performance text component

Thu Aug 30 13:20:21 PDT 2012

Yes, you can change all parts of FXML containing the rich text, but your 
locale bundle will contain these FXML fragments, then you will load in 
scenegraph these FXML fragments coming from localization.

Technically it is perfectly possible, but knowing that adding a 
localization can change instantiated components in scenegraph (then 
behaviour [1]) is clearly worrisome for security.

I see (personally) this as a non-separation of concerns giving too much 
rights to localization in applications and creating security bugs. Many 
users, who don't speak English, can use non-official localizations of 
applications (for languages not supported by editor of the software). 
For me, localization is not as trustable as code.

=> I would usually expect that localization can only change localizable 
strings (as declared by author of application) but not behaviour of 
application. Then, I would dislike to have to put some parts of code of 
my application in localization bundles.

[1]: In sample 4, you load a Button. I am not currently in security 
business, then my example is not as good and realistic as possible (and 
use no bugs, only features).
I will suppose an application using a PasswordField in rich text and 
allowing plugins for some specific features (country-specific web 
services) but restricting sensible access from plugins to application 
with Java policies (not using multiple ClassLoader to avoid bugs due to 
visibility problems or only by simplicity).

  * A custom localization contain a replacement of the standard
    <PasswordField .../> by fully-named
    <external.package.LoggingPasswordField .../>.
  * The class "external.package.LoggingPasswordField" is provided by a
    plugin to the application for adding country-specific features (like
    web services).

Given the FXML is loaded by application, it will be in a domain 
non-restricted by policies and FXML will load without problem a class 
from plugin. The pseudo-password field in scenegraph can send password 
to the web.

> Hi Gaja,
>
> I don't understand the issue. The entire string of the FXML fragment can be localized, or you can use CSS to apply a different style to different parts of the string based on a "localized css file". How does FXML not work for this case?
>
> Richard
>
> On Aug 30, 2012, at 5:40 AM, Gaja Sutra wrote:
>
>> I have a concern for localization support of FXML against the split of each paragraph in multiple FXML span tags.
>>
>> By example, your first sample <p>Hello <b>Bold</b> <i>World</i></p>, can become in french <p>Bonjour <i>Monde</i> <b>Gras</b></p>, with different order of bold and italic styles. Like this case, FXML containing rich text will probably be separate for each language.
>>
>> I understand DOM-like API for manipulation but I think it will be more complex to localize than some annotated string.
>>
>> By example with a syntax like RTF/LaTeX <p>Hello \strong{Bold} \em{World}</p> and <p>Bonjour \em{Monde} \strong{Gras}</p>, you can localize only by substituting the string in the bundle, because your styles is not in FXML structure but only in the String containing text.
>>
>> NB: In this case, your command annotating text is associated, by example, to a custom CSS pseudo-class:
>> p:strong {-fx-font-weight: bold;}
>> p:em {-fx-font-style: italic;}
>>
>> NB: I know RTF/LaTeX syntax is not really beautiful. I am choosing this syntax only because special characters are not the same than XML and because ${...} is more frequently used for executing content (variable evaluation, etc.).
>>
>>