Closed chongma closed 5 years ago
Hi Matthew,
I've added a escape
attribute to address the problem. The idea is the same as with <h:outputText>
: by default, every HTML-like attribute is masked. Only if you insist, it's rendered as-is. I've also uploaded a BootsFaces-1.4.0-SNAPSHOT to Maven Central.
I'm afraid you've opened the box of Pandora :). IMHO, we should implement the escape
attribute for every component featuring a tooltip (aka title
), a label or a caption.
What's your opinion?
CU Stephan
@stephanrauh somehow i missed your message and was just looking through the code now. i saw the escape stuff but wasn't sure where it was set. i have often thought that there should be different options.
Like how it is done in xmlns:h="http://xmlns.jcp.org/jsf/html"
. not quite sure how it would work but for example
<b:selectOneMenu caption="this will always be escaped" ... />
<b:selectOneMenu ...>
<b:caption>this could be html stuff</b:caption>
</b:selectOneMenu>
<b:selectOneMenu ..>
<b:caption value="this would always be escaped"/>
</b:selectOneMenu>
the same could be done with a b:label?
for instance in an h:commandButton
if my memory is correct you can set a value for the button
<h:commandButton value="this will probably (?) be escaped" ... />
or you can just stick html inside the button and it gets used as the value
<h:commandButton ... >
<b>a bold button value</b>
</h:commandButton>
there are other components that also have this behaviour
@BalusC @tandraschko @cagataycivici @edburns @arjantijms I guess you might want to chime in. Feel free to invite other core JSF developers to the party - at the moment, I just remember their real names, but not their GitHub user names :(.
Matthew asks if there's a decent way to fine-tune the JSF approach to escaping. By default, everything is escaped. That's good because it's a good measure against hackers.
But sometimes you want to be able to circumvent some of the escaping. In particular, this might apply to comboboxes. They consist of many texts: label, tooltips, and options.
How can we un-escape some of these texts without sacrificing the protection JSF offers by default?
Matthew submitted several ideas above. Another idea is to adopt the approach of Angular, using a dedicated HTMLSanitizer service.
Any ideas, recommendations or suggestions?
Best regards, Stephan
Nobody has answered during the last ten months. Let's close the ticket.
the
caption
property ofb:selectBooleanCheckbox
doesn't seem to escape special characters. i was trying to format an email address between a greater than and less than. and it got swallowed as html