I am using PrimeFaces 6.0.15 and JSF 2.2. I am currently using the component p:textEditor to allow the user to format text (bold, italics, etc.) For example, if I have bolde and underline content, in the DB it would be stored as: <p><strong><u>TEST</u></strong></p>.
On the edit mode of my application, I pull the data from the database and because the format is persisted in the DB, it automatically shows the content bolde and underlined. But is there a read only version of the text editor such as but with the textEditor formatting functionality?
Since what is stored on the DB is pure HTML, I tried doing something like:
<h:panelGroup>#{bean.description}</h:panelGroup>
But it displayed this: <p><strong><u>TITLE</u></strong></p>
How could I display the content so that it shows the formatted content?
To enable HTML insertion without escaping, just set the escape attribute of h:outputText to false:
<h:outputText value="#{bean.description}" escape="false" />
Note: Presenting the HTML input of user A to user B may raise security issues
(see: cross site request forgery).
Related
I use primefaces editor within a project (http://www.primefaces.org/showcase/ui/input/editor.xhtml). My problem is that it always generates SPAN elements.
E.g. test is exported as
<span style="font-weight: bold;">test</span>
Instead of this, I need to generate markup (and so for the other functions) liek this:
<b>test</b>
Any idea?
(it is not my personal wish but a need to be compatible with a legacy API)
Instead of <p:editor> use <pe:ckEditor> primefaces extension, and there are various options available for this choose according to your requirement primefaces editor will always generate span for text.
Is there any HTML sanitizer or cleanup methods available in any JSF utilities kit or libraries like PrimeFaces/OmniFaces?
I need to sanitize HTML input by user via p:editor and display safe HTML output using escape="true", following the stackexchange style. Before displaying the HTML I'm thinking to store sanitized input data to the database, so that it is ready to safe use with escape="true" and XSS is not a danger.
In order to achieve that, you basically need a standalone HTML parser. HTML parsing is rather complex and the task and responsibility of that is beyond the scope of JSF, PrimeFaces and OmniFaces. You're supposed to just grab one of the many existing HTML parsing libraries.
An example is Jsoup, it has even a separate method for the particular purpose of sanitizing HTML against a Safelist: Jsoup#clean(). For example, if you want to allow some basic HTML without images, use Safelist.basic():
String sanitizedHtml = Jsoup.clean(rawHtml, Safelist.basic());
A completely different alternative is to use a specific text formatting syntax, such as Markdown (which is also used here). Basically all of those parsers also sanitize HTML under the covers. An example is CommonMark. Perhaps this is what you actually meant when you said "stackexchange style".
As to saving in DB, you'd better save both the raw and parsed forms in 2 separate text columns. The raw form should be redisplayed during editing. The parsed form should be updated in background when the raw form has been edited. During display, obviously only show the parsed form with escape="false".
See also:
Markdown or HTML
Is there any HTML sanitizer or cleanup methods available in any JSF utilities kit or libraries like PrimeFaces/OmniFaces?
I need to sanitize HTML input by user via p:editor and display safe HTML output using escape="true", following the stackexchange style. Before displaying the HTML I'm thinking to store sanitized input data to the database, so that it is ready to safe use with escape="true" and XSS is not a danger.
In order to achieve that, you basically need a standalone HTML parser. HTML parsing is rather complex and the task and responsibility of that is beyond the scope of JSF, PrimeFaces and OmniFaces. You're supposed to just grab one of the many existing HTML parsing libraries.
An example is Jsoup, it has even a separate method for the particular purpose of sanitizing HTML against a Safelist: Jsoup#clean(). For example, if you want to allow some basic HTML without images, use Safelist.basic():
String sanitizedHtml = Jsoup.clean(rawHtml, Safelist.basic());
A completely different alternative is to use a specific text formatting syntax, such as Markdown (which is also used here). Basically all of those parsers also sanitize HTML under the covers. An example is CommonMark. Perhaps this is what you actually meant when you said "stackexchange style".
As to saving in DB, you'd better save both the raw and parsed forms in 2 separate text columns. The raw form should be redisplayed during editing. The parsed form should be updated in background when the raw form has been edited. During display, obviously only show the parsed form with escape="false".
See also:
Markdown or HTML
I am using JBoss AS 7. I created a Facelets page which is bound to a managed bean. I have JSF input text field in my page. If I write some special characters in input text field and submit the page, then it send a request to server. But special characters are already converted to some other characters. I added UTF-8 support tag in Facelets page, but I am still not getting UTF-8 data on server side. Do I need to add some settings on JBoss server so that it can accept UTF-8 data?
i Added a simple Text field
<h:inputText value="#{myBean.value}" />
and wrote text like this
"“ ©” ‘with special character’ — » É €"
i added a breakpoint on server and examined the value and i am getting something like this
â éâ âÂÂwith special characterâ â û àâ¬
I don't know how to get actual value on the server side
How to display value with HTML tag inside h:inputTextarea?
In DB I have column contain data, it contain plain text and HTML tag, I want display it on h:inputTextarea. How can I do it?
i want display HTML inside h:inputTextArea it mean in DB contain <br/> or <b> and </b> , when it display on h:inputTextArea it must display bold or break line.
That's not possible due to the nature of HTML <textarea> element. Even, if it was possible this puts doors wide open to XSS injection attacks. Also, how would you ever let the enduser edit the markup in the textarea like changing bold to for example italics or to add another markup? That's plain impossible with a <textarea>.
If your sole intent is to have a rich text editor, then you need to homegrow one with help of a <div> and a good shot of JavaScript or, better, use an existing JSF component which achieves this. For example, PrimeFaces' <p:editor>.
Or, if your sole intent is to display it only, then use <h:outputText> with the escape attribute set to false. Once again, keep XSS risks in mind.
Use the f:verbatim tag -> JSF Verbatim Tag