Will <h:inputHidden> tag do the html encoding for the attribute value it renders?
I cannot find any documentation on this.
In JSF, everything is HTML-encoded, unless you explicitly set escape="false" attribute on the tag/component supporting that attribute (such as <h:outputText>).
This thus also covers the value of any <h:inputXxx> component.
See also:
CSRF, XSS and SQL Injection attack prevention in JSF
Related
I'm using PrimeFaces with JSF 2.0 to build one application. I'm using PrimeFaces <p:editor> component to enable user to create rich text. But the output of this component is HTML source which look like this:
String text = "<p>This text <i>contains</i> some <b>HTML</b> code.</p>";
When I show this in a <h:outputText> as below:
<h:outputText value="#{bean.text}" />
Then it shows the HTML code as plain text:
<p>This text <i>contains</i> some <b>HTML</b> code.</p>
Is there any component which can interpret the HTML source so that e.g. <i> is actually shown as italics and <b> as bold?
This text contains some HTML code.
JSF by default escapes HTML from backing bean properties in order to prevent XSS attack holes. To disable this, just set the escape attribute of the <h:outputText> to false.
<h:outputText ... escape="false" />
This way the HTML won't be escaped and will thus be interpreted by the webbrowser.
Unrelated to the concrete problem, beware of XSS attacks as you're here basically redisplaying user-controlled input unescaped. You might want to sanitize it beforehand.
What is the general concept behind XSS?
CSRF, XSS and SQL Injection attack prevention in JSF
Server side HTML sanitizer/cleanup for JSF
Escape everything but linebreaks in h:outputText
I have a question about the idea behind the fact, that only UIForm got the attribute prependId. Why is the attribute not specified in the NamingContainer interface? You will now probably say that's because of backward compability but I would preferre breaking the compability and let users which implement that interface, also implement methods for the prependId thing.
The main problem from my perspective about the prependId in the UIForm component is, that it will break findComponent()
I would expect that if I use prependId, then the NamingContainer behaviour would change, not only related to rendering but also when wanting to search for components in the component tree.
Here a simple example:
<h:form id="test" prependId="false">
<h:panelGroup id="group"/>
</h:form>
Now when i want to get the panelGroup component I would expect to pass the string "group" to the method findComponent(), but it won't find anything, I have to use "test:group" instead.
The concrete problem with that is, when using ajax with prependId="false". The ajax tag expects in the attributes update and process, that the values care of naming containers. It's a bit strange that when I use prependId="false" that I have to specify the full id or path, but okay.
<h:form id="test" prependId="false">
<h:panelGroup id="group"/>
</h:form>
<h:form id="test1" prependId="false">
<h:commandButton value="go">
<f:ajax render="test:group"/>
</h:commandButton>
</h:form>
Well this code will render without problems but it won't update the panelGroup because it cannot find it. The PartialViewContext will contain only the id "group" as element of the renderIds. I don't know if this is expected, probably it is but I don't know the code. Now we come to the point where the method findComponent() can not find the component because the expression passed as parameter is "group" where the method would expect "test:group" to find the component.
One solution is to write your own findComponent() which is the way I chose to deal with this problem. In this method i handle a component which is a NamingContainer and has the property prependId set to false like a normal UIComponent. I will have to do that for every UIComponent which offers a prependId attribute and that is bad. Reflection will help to get around the static definition of types but it's still not a really clean solution.
The other way would be introducing the prependId attribute in the NamingContainer interface and change the behaviour of findComponent() to work like described above.
The last proposed solution would be changing the behaviour of the ajax tag to pass the whole id, but this would only solve the ajax issue and not the programmatic issues behind the findComponent() implementation.
What do you think about that and why the hell is it implemented like that? I can't be the first having this problem, but I wasn't able to find related topics?!
Indeed, UIComponent#findComponent() as done by <f:ajax render> fails when using <h:form prependId="false">. This problem is known and is a "Won't fix": JSF spec issue 573.
In my humble opinion, they should never have added the prependId attribute to the UIForm during the JSF 1.2 ages. It was merely done to keep j_security_check users happy who would like to use a JSF form with JSF input components for that (j_security_check requires exact input field names j_username and j_password which couldn't be modified by configuration). But they didn't exactly realize that during JSF 1.2 another improvement was introduced which enables you to just keep using <form> for that instead of sticking to <h:form>. And then CSS/jQuery purists start abusing prependId="false" to avoid escaping the separator character : in their poorly chosen CSS selectors.
Just don't use prependId="false", ever.
For j_security_check, just use <form> or the new Servlet 3.0 HttpServletRequest#login(). See also Performing user authentication in Java EE / JSF using j_security_check.
For CSS selectors, in case you absolutely need an ID selector (and thus not a more reusable class selector), simply wrap the component of interest in a plain HTML <div> or <span>.
See also:
How to select JSF components using jQuery?
How to use JSF generated HTML element ID with colon ":" in CSS selectors?
By default, JSF generates unusable ids, which are incompatible with css part of web standards
I am new to JSF and getting very confused doing something trivial. I am making up this example here to elaborate what I am want to do:
I have a xhtml fragment, say, stockQuoteFragment.xhtml, which is backed by a ManagedBean, say, StockQuoteService.java. StockQuoteService.java has property stockID and a method getStockQuote() which has all the logic to get the stockQuote for the value set on stockID property. stockQuoteFragment.xhtml displays #stockQuoteService.stockQuote.
Now I have another page Home.xhtml page with backing bean HomeBackingBean.java with a method getUserFavoriteStockID(). I want to include content of stockQuoteFragment.xhtml in Home.xhtml passing in the value of #homeBackingBean.userFavoriteStockID to StockQuoteService.setStockID().
I am not sure how to do this in JSF/Facelets. With simple JSPs I could do this easily with a JSP include and include parameters
No.
...According to TLD or attribute directive in tag file, attribute var does not accept any expressions.
I have just tried it.
But if you use pure XML based JSF with tags, you can easily use <ui:param> as discussed here. I use JSF in JSP and for me there is no help (<c:set> is mostly useless).
Can I just do this in Home.xhtml before I ui:include stockQuoteFragment.xhtml into it:
<c:set var="#{StockQuoteService.stockID}" value="#homeBackingBean.userFavoriteStockID"/>
will that work?
I have what it seems to be a very trivial question for you jsf expert out there...
I'm working in a JSF 2.0 application. Said that I have managed bean with a property containing an html portion to display to the user, which faces control should I use to emit that html directly on the page, without encoding it?
Did you try that:
<h:outputText value="#{myBean.myProperty}" escape="false"/>
By default, escape attribute is set to true in order to escape the HTML / XML characters.
I used the rich: editor component to enter rich content and I save it in a database. When I tried to display it in outputText field , rich tags are not interpreted and are displayed as simple text.
So my question is: how can I make the jsf component (or Richfaces) interpret this rich content and display it properly??
The h:outputText indeed by default escapes predefined XML/HTML entities to avoid XSS attacks. If you want to display user-controlled input unescaped, then just set the escape attribute to false.
<h:outputText value="#{bean.text}" escape="false" />
However, keep potential XSS attacks in mind. If the rich:editor isn't already sanitizing user input from XSS, then you can do this with help of among others Jsoup.