Announcement Announcement Module
Collapse
No announcement yet.
Generated entity's show.jspx escapes xhtml fields Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Generated entity's show.jspx escapes xhtml fields

    This may not be a roo specific issue, but I've developed our current codebase with the same technologies as roo and not had this issue. I have an entity with a text field where xhtml is stored. I need the xhtml to be displayed when calling <c: out value="${example.htmlText}"/>

    What happens is the < and > characters are escaped and so the tags are displayed instead of interpreted... Why would this be happening? The htmlText is correct in mysql, the < and > characters are not escaped there.

    Instead of displaying: hello world!
    It's now displaying: hello <em>world</em>!

  • #2
    HTML escaping is done by design to prevent common XSS attacks. Please read details here https://jira.springsource.org/browse/ROO-512. To disable XML escaping in your c:out tag you need to add the following attribute to it:

    escapeXml="false"

    However keep in mind that your page is now exposed to XSS attacks. You can test this by simply entering <script>alert("test")</script> into your text field. So you will need to somehow deal with this situation.

    HTH,
    Stefan

    Comment


    • #3
      Stefan, thanks for clarifying. I'm well aware of the potential for XSS attacks.

      Comment

      Working...
      X