Announcement Announcement Module
No announcement yet.
Velocity: Escaping reference data for option lists Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Velocity: Escaping reference data for option lists

    I've just started working with Spring's Velocity macros, however I have encountered an HTML escaping problem when using select lists. The labels for the generated options are not escaped.

    The macro for outputting a single select list is copied below, full src here:

    #macro( springFormSingleSelect $path $options $attributes )
        <select id="${status.expression}" name="${status.expression}" ${attributes}>
            #foreach($option in $options.keySet())
                <option value="${option}"
                #if("$!status.value" == "$option")
    The problematic piece of code is ${options.get($option)}</option>, at this point the raw value from the map will be output as HTML leading to security vulnerabilities etc. This problems seems to exist for springFormMultiSelect, springFormRadioButtons & springFormCheckboxes also.

    Does anyone have a solution for this problem? I can't work out a tidy way to patch spring.vm without adding a dependency on velocity's EscapeTool.