b:selectBooleanCheckbox caption special characters

[chongma]

the caption property of b:selectBooleanCheckbox doesn't seem to escape special characters. i was trying to format an email address between a greater than and less than. and it got swallowed as html

<ui:repeat var="quoteEmail" value="#{quoteBean.quote.quoteEmails}">
    <b:selectBooleanCheckbox value="#{quoteBean.selectedQuoteEmails[quoteEmail.toString()]}"
        caption="#{quoteEmail.email.personal} &lt;#{quoteEmail.email.address}&gt;" />
</ui:repeat>

[stephanrauh]

Hi Matthew,

I've added a escape attribute to address the problem. The idea is the same as with <h:outputText>: by default, every HTML-like attribute is masked. Only if you insist, it's rendered as-is. I've also uploaded a BootsFaces-1.4.0-SNAPSHOT to Maven Central.

I'm afraid you've opened the box of Pandora :). IMHO, we should implement the escape attribute for every component featuring a tooltip (aka title), a label or a caption.

What's your opinion?

CU Stephan

[chongma]

@stephanrauh somehow i missed your message and was just looking through the code now. i saw the escape stuff but wasn't sure where it was set. i have often thought that there should be different options. Like how it is done in xmlns:h="http://xmlns.jcp.org/jsf/html". not quite sure how it would work but for example

<b:selectOneMenu caption="this will always be escaped" ... />

<b:selectOneMenu ...>
    <b:caption>this could be html stuff</b:caption>
</b:selectOneMenu>

<b:selectOneMenu ..>
   <b:caption value="this would always be escaped"/>
</b:selectOneMenu>

the same could be done with a b:label?

for instance in an h:commandButton if my memory is correct you can set a value for the button

<h:commandButton value="this will probably (?) be escaped" ... />

or you can just stick html inside the button and it gets used as the value

<h:commandButton ... >
    <b>a bold button value</b>
</h:commandButton>

there are other components that also have this behaviour

[stephanrauh]

@BalusC @tandraschko @cagataycivici @edburns @arjantijms I guess you might want to chime in. Feel free to invite other core JSF developers to the party - at the moment, I just remember their real names, but not their GitHub user names :(.

Matthew asks if there's a decent way to fine-tune the JSF approach to escaping. By default, everything is escaped. That's good because it's a good measure against hackers.

But sometimes you want to be able to circumvent some of the escaping. In particular, this might apply to comboboxes. They consist of many texts: label, tooltips, and options.

How can we un-escape some of these texts without sacrificing the protection JSF offers by default?

Matthew submitted several ideas above. Another idea is to adopt the approach of Angular, using a dedicated HTMLSanitizer service.

Any ideas, recommendations or suggestions?

Best regards, Stephan

[stephanrauh]

Nobody has answered during the last ten months. Let's close the ticket.