I'm using PrimeFaces with JSF 2.0 to build one application. I'm using PrimeFaces <p:editor> component to enable user to create rich text. But the output of this component is HTML source which look like this:
String text = "<p>This text <i>contains</i> some <b>HTML</b> code.</p>";
When I show this in a <h:outputText> as below:
<h:outputText value="#{bean.text}" />
Then it shows the HTML code as plain text:
<p>This text <i>contains</i> some <b>HTML</b> code.</p>
Is there any component which can interpret the HTML source so that e.g. <i> is actually shown as italics and <b> as bold?
This text contains some HTML code.
JSF by default escapes HTML from backing bean properties in order to prevent XSS attack holes. To disable this, just set the escape attribute of the <h:outputText> to false.
<h:outputText ... escape="false" />
This way the HTML won't be escaped and will thus be interpreted by the webbrowser.
Unrelated to the concrete problem, beware of XSS attacks as you're here basically redisplaying user-controlled input unescaped. You might want to sanitize it beforehand.
What is the general concept behind XSS?
CSRF, XSS and SQL Injection attack prevention in JSF
Server side HTML sanitizer/cleanup for JSF
Escape everything but linebreaks in h:outputText
Related
I have a html string which contains images and text. While rendering, I only want to render the text and not the images.
I tried to do this :
<h:outputText escape="false" value="#{fn:replace(answerBlock.content,'<img>','')}" />
but this returned a malformed html which then rendered on the screen .
How can I skip the img tags and just render the text in jsf ?
Do not use string or regex functions to manipulate user-controlled HTML. The risk for a XSS attack hole is in this particular example very big as not all aspects are covered (e.g. <script>, onclick, etc). Just use a real HTML parser which is aware of XSS implications. For example Jsoup which has also a whitelist sanitizer feature.
String sanitizedHtml = Jsoup.clean(dirtyHtml, Whitelist.basic());
Then display that instead:
<h:outputText value="#{bean.sanitizedHtml}" escape="false" />
To improve performance, consider parsing it only once and saving in DB along with raw data.
See also:
How to implement a possibility for user to post some html-formatted data in a safe way?
CSRF, XSS and SQL Injection attack prevention in JSF
I would add code to your answerBlock bean. Something like:
public String imageStrippedContent() {
return stripImgTags( content() );
}
private String stripImgTags( String html ) {
// strip img tag using dom parser like jtidy, or maybe regex
...
}
Then modify your facelet to:
<h:outputText escape="false" value="#{answerBlock.imageStrippedContent} />
I have DIV element with a header style enclosing a h:outputText but when the page renders i see the HTML is formed in such a way that my div doesnot contain the label generated by the h:outputText instead i see the label above my DIV . Am i doing it wrong? i tried f:verbatim but didn't help either
Based on your question history you're using the ancient JSF 1.1. The <f:verbatim> way should work. Perhaps you've enclosed JSF components inside <f:verbatim>. You should not do that. It should only contain raw HTML.
<f:verbatim><div></f:verbatim>
<h:outputText value="Some text." />
<f:verbatim></div></f:verbatim>
Since JSF 1.2 the <f:verbatim> is not necessary anymore. JSF 1.2 should work on all environments where JSF 1.1 is been used. I strongly recommend to upgrade.
See also:
Mix HTML and JSF in a JSF subview
What are the main disadvantages of Java Server Faces 2.0? (a bit of history)
I have what it seems to be a very trivial question for you jsf expert out there...
I'm working in a JSF 2.0 application. Said that I have managed bean with a property containing an html portion to display to the user, which faces control should I use to emit that html directly on the page, without encoding it?
Did you try that:
<h:outputText value="#{myBean.myProperty}" escape="false"/>
By default, escape attribute is set to true in order to escape the HTML / XML characters.
I used the rich: editor component to enter rich content and I save it in a database. When I tried to display it in outputText field , rich tags are not interpreted and are displayed as simple text.
So my question is: how can I make the jsf component (or Richfaces) interpret this rich content and display it properly??
The h:outputText indeed by default escapes predefined XML/HTML entities to avoid XSS attacks. If you want to display user-controlled input unescaped, then just set the escape attribute to false.
<h:outputText value="#{bean.text}" escape="false" />
However, keep potential XSS attacks in mind. If the rich:editor isn't already sanitizing user input from XSS, then you can do this with help of among others Jsoup.
When the Apache My Faces JSF 1.2 Implementation renders an HTML page behind the scenes , is it even possible to set/code something which will display a pure HTML Table / DIV (NOT the jsf component ) conditionally. When I searched , I saw that , using h:panelGroup is a solution, but I haven't tried yet, posting here for any better methods or approaches.
Its almost like wanting to say - writing a javascript code in java and inject it when the HTML is rendered - is it possible?
Thanks,
Several ways.
Use <h:panelGroup layout="block">. It renders a HTML <div> element.
<h:panelGroup layout="block" rendered="#{bean.condition}">
content
</h:panelGroup>
Wrap the HTML <div> element inside a <h:panelGroup>. Without any client-side attributes like id, styleClass, onclick, etc, the <h:panelGroup> won't render anything. With them it would however render a <span> element (or <div> if layout is set to block).
<h:panelGroup rendered="#{bean.condition}">
<div>content</div>
</h:panelGroup>
Wrap the HTML <div> element inside a <f:verbatim>.
<f:verbatim rendered="#{bean.condition}">
<div>content</div>
</f:verbatim>
It's by the way not so special that MyFaces generates HTML. The Mojarra JSF implementation also does that. The competitors Struts2, Spring MVC, Wicket, Tapestry, etc..etc.. also. Microsoft ASP.NET MVC also. PHP also. All server side languages in fact. Simply because of the fact that the webbrowser doesn't understand them. It only understands HTML/CSS/JS ;)
As to mixing JavaScript with Java/JSP/JSF, you may find this article useful.