search

tipsy / j2html

Java to HTML generator. Enjoy typesafe HTML generation.
https://j2html.com/
Apache License 2.0
765 stars 136 forks source link

Inline script escapes single quotes #149

Closed afarber closed 3 years ago

afarber commented 4 years ago

Hello, I am using j2html 1.4.0 to generate a web page with some global JavaScript variables:

    private void handleTopPage(HttpServletRequest httpReq, HttpServletResponse httpResp) throws ServletException, IOException {
        boolean showPhotos = "true".equals(httpReq.getParameter("show_photos"));

        String vars = String.join("\n",
            String.format("var SHOW_PHOTOS = %s;", showPhotos ? "true" : "false"),
            String.format("var COUNTRY = '%s';", System.getenv(COUNTRY)),

            "var STR_LOADING_RECORDS = 'Loading players...';",
            "var STR_ZERO_RECORDS    = 'Player not found';",
            "var STR_SEARCH          = 'Find player:';",

            "var PHOTO_HAPPY = '/words/images/female_happy.png';",
            "var PHOTO_SAD   = '/words/images/female_sad.png';"
        );

        ContainerTag div = div(
            script(vars).withType("text/javascript").withCharset("utf-8"),
            scriptWithInlineFile("/top.js").withType("text/javascript").withCharset("utf-8"),
            h2("Список игроков / 1 месяц").withStyle("text-align: center;"),
            table(
                thead(
                    tr(
                        th("Elo"),
                        th("Player"),
                        th("Photo")
                    )
                ),
                tbody()
            ).withId("ratingTable").withClass("stripe").withStyle("min-width: 480px;"),

but unfortunately single quotes are escaped in the resulting output:


<div>
 <script type="text/javascript">
 var SHOW_PHOTOS = false;
 var COUNTRY = &#x27;ru&#x27;;
 var STR_LOADING_RECORDS = &#x27;Loading players...&#x27;;
 var STR_ZERO_RECORDS    = &#x27;Player not found&#x27;;
 var STR_SEARCH          = &#x27;Find player:&#x27;;
 var PHOTO_HAPPY = &#x27;/words/images/female_happy.png&#x27;;
 var PHOTO_SAD   = &#x27;/words/images/female_sad.png&#x27;;
 </script>
 <script type="text/javascript" charset="utf-8">
 function drawGames() {
  jQuery.ajax({
   url: '/ws/daily',
  dataType: 'json'
  }).done(function(jsonData) {
  var dt = new google.visualization.DataTable(jsonData);
 var chart = new google.visualization.AreaChart(document.getElementById('gamesChart'));
 chart.draw(dt, options);
 });
 }

How to handle this case please? I would like to use global vars (yes, I know that this is not the cleanest way) to localize and configure my Javascript.

Thank you Alex

innovativeSkull commented 3 years ago

I am also facing similar issue, I want to add ×   HTML characters like this. How to do that ? Also while using javascript we are facing same issue. withText("var element = document.createElement('a');") this gets rendered as var element = document.createElement(&#x27;a&#x27;);

obecker commented 3 years ago

To prevent any escaping use rawHtml().

Examples: script(rawHtml(vars)) script().with(rawHtml("var element = document.createElement('a');"))

sembler commented 3 years ago

PR #181 has been merged. Now any String parameters for the TagCreator.script(...) or TagCreator.style(...) methods will be treated as unescaped text.