Announcement Announcement Module
Collapse
No announcement yet.
Velocity: Escaping reference data for option lists Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Velocity: Escaping reference data for option lists

    I've just started working with Spring's Velocity macros, however I have encountered an HTML escaping problem when using select lists. The labels for the generated options are not escaped.

    The macro for outputting a single select list is copied below, full src here:

    Code:
    #macro( springFormSingleSelect $path $options $attributes )
        #springBind($path)
        <select id="${status.expression}" name="${status.expression}" ${attributes}>
            #foreach($option in $options.keySet())
                <option value="${option}"
                #if("$!status.value" == "$option")
                    selected="selected"
                #end>
                ${options.get($option)}</option>
            #end
        </select>
    #end
    The problematic piece of code is ${options.get($option)}</option>, at this point the raw value from the map will be output as HTML leading to security vulnerabilities etc. This problems seems to exist for springFormMultiSelect, springFormRadioButtons & springFormCheckboxes also.

    Does anyone have a solution for this problem? I can't work out a tidy way to patch spring.vm without adding a dependency on velocity's EscapeTool.
Working...
X