I would like to show code like primefaces showcase:http://www.primefaces.org/showcase/ui/datatableRowSelectionByColumn.jsf
i use SyntaxHighlighter
,when i include facelets file in pre tag, it work fine.But when i show short code like:<h:outputtext value="test"/>
i code:
<pre class="xml" name="code" ><h:outputtext value="test"/></pre>
it will display html code, the code after jsf compile and render.
i want jsf not compile to html code.
If i use html special character, it seem to be more verbose to code.
How to config or take more code to do that.
(Sorry for my English)
Thank for your attention !
When writing code directly inside the XHTML template, you really need to manually escape XML entities if you intend to present them as-is.
<pre class="xml" name="code"><h:outputtext value="test"/></pre>
Hard to read? Perhaps for a starter, but not for an advanced.
Alternatively, you could store them somewhere in a String which can if necessary be populated from a text (properties) file or even a DB.
String code = "<h:outputText value=\"test\" />";
(please note that you need to escape the doublequotes when you want to hardcode it as a Java String; you don't need to escape anything when it's stored in a text file or a DB)
Facelets will automatically escape it:
<pre class="xml" name="code">#{bean.code}</pre>
You need to exchange the < by < and > by >.
In else case it will be treated as HTML.
Related
button#someId.input-append(type="button", for="some string") myLabel
I know it creates a button, but I'm not sure what "for" attribute does and what input-append does. I don't see any different by removing them. And I appreciate much if anyone of you can point me to a good site that list all possible attributes in jade.
The above jade code will produce the following HTML:
<button id="someId" class="input-append" type="button" for="some string">myLabel</button
The .input-append is merely a class for the input, and anything within the brackets is just translated to HTML-Attributes. Jade is only markup, and there's no special meaning to these. Jade will translate any key="content"-combo into attributes, as well as any .class.
I need a output text which works like h:outputText with escape="false" attribute, but doesn't let scripts to run. After a little search I found tr:outputFormatted makes that, but in our project we doesn't use trinidad. Is there something like outputFormatted in tomahawk, or in another taglib?
for example,
<h:outputText id="id" value="<b>test text</b><script type="text/javascipt">alert('I dont want these alert to show');</script>" escape="false"/>
that shows 'test text' bold but it popups the alert dialog too, I don't want the script to run. it can write script code or delete it but shouldn't run.
Use a HTML parser to get rid of those malicious things.
Among others, Jsoup is capable of this. Here's an extract of relevance from its site.
Sanitize untrusted HTML
Problem
You want to allow untrusted users to supply HTML for output on your website (e.g. as comment submission). You need to clean this HTML to avoid cross-site scripting (XSS) attacks.
Solution
Use the jsoup HTML Cleaner with a configuration specified by a Whitelist.
String unsafe =
"<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>";
String safe = Jsoup.clean(unsafe, Whitelist.basic());
// now: <p>Link</p>
So, all you basically need to do is the the following during preparing the text:
String sanitizedText = Jsoup.clean(rawText, Whitelist.basic());
(you can do it before or after saving the text in DB, but keep in mind that when doing it before without saving the original text, you can't detect malicious users and do social actions anymore)
and then display it as follows:
<h:outputText value="#{bean.sanitizedText}" escape="false" />
How to display value with HTML tag inside h:inputTextarea?
In DB I have column contain data, it contain plain text and HTML tag, I want display it on h:inputTextarea. How can I do it?
i want display HTML inside h:inputTextArea it mean in DB contain <br/> or <b> and </b> , when it display on h:inputTextArea it must display bold or break line.
That's not possible due to the nature of HTML <textarea> element. Even, if it was possible this puts doors wide open to XSS injection attacks. Also, how would you ever let the enduser edit the markup in the textarea like changing bold to for example italics or to add another markup? That's plain impossible with a <textarea>.
If your sole intent is to have a rich text editor, then you need to homegrow one with help of a <div> and a good shot of JavaScript or, better, use an existing JSF component which achieves this. For example, PrimeFaces' <p:editor>.
Or, if your sole intent is to display it only, then use <h:outputText> with the escape attribute set to false. Once again, keep XSS risks in mind.
Use the f:verbatim tag -> JSF Verbatim Tag
I have the follwing code inside a facelet page:
<h:inputNumber value="bean.property">
<f:convertNumber type="currency" />
</h:inputNumber
The converter is because there can be a kind of default value inside the input field, which comes from the bean property. Everything is rendered correctly. The value inside the input field is rendered with an "€" character (e.g. "1.453 €".
When I submit the form there comes an error up:
"nameOfInputField" konnte nicht als ein Geldbetrag erkannt werden '304,00 â¬'
In english it is some like:
"nameOfInputField" could not be regognized as an amount of money '304,00 â¬'
Please have a look at the "€" character. It seems to be printed as "â¬". While it was rendered correctly before submitting the form, now it looks like "â¬" inside the error message and inside the input field.
All pages are encoded in UTF-8.
What is the reason for this error?
How can fix it?
Thanks in advance
â¬
This is typical for the € from an original UTF-8 source which is incorrectly been decoded using ISO-8859-1. Here's a small snippet which demonstrates that:
System.out.println(new String("€".getBytes("UTF-8"), "ISO-8859-1"));
All pages are encoded in UTF-8.
You're likely talking about response encoding. You need to set the request encoding as well.
To set the encoding for GET requests (basically: URI encoding), you need to consult the appserver specific documentation. As it's unclear which one you're using, here's a Tomcat targeted example: <Connector URIEncoding="UTF-8" />. To set the encoding for POST requests, you need to create a simple filter which does request.setCharacterEncoding("UTF-8") if it is null. More background information and hints can be found in this article.
Put this ontop of your facelets page:
<?xml version="1.0" encoding="UTF-8" ?>
It will instruct the facelets parser.
Using Microsoft's AntiXssLibrary, how do you handle input that needs to be edited later?
For example:
User enters:
<i>title</i>
Saved to the database as:
<i>title</i>
On an edit page, in a text box it displays something like:
<i>title</i> because I've encoded it before displaying in the text box.
User doesn't like that.
Is it ok not to encode when writing to an input control?
Update:
I'm still trying to figure this out. The answers below seem to say to decode the string before displaying, but wouldn't that allow for XSS attacks?
The one user who said that decoding the string in an input field value is ok was downvoted.
Looks like you're encoding it more than once. In ASP.NET, using Microsoft's AntiXss Library you can use the HtmlAttributeEncode method to encode untrusted input:
<input type="text" value="<%= AntiXss.HtmlAttributeEncode("<i>title</i>") %>" />
This results in
<input type="text" value="<i>title</i>" /> in the rendered page's markup and is correctly displayed as <i>title</i> in the input box.
Your problem appears to be double-encoding; the HTML needs to be escaped once (so it can be inserted into the HTML on the page without issue), but twice leads to the encoded version appearing literally.
You can call HTTPUtility.HTMLDecode(MyString) to get the text back to the unencoded form.
If you are allowing users to enter HTML that will then be rendered on the site, you need to do more than just Encode and Decode it.
Using AntiXss prevents attacks by converting script and markup to text. It does not do anything to "clean" markup that will be rendered directly. You're going to have to manually remove script tags, etc. from the user's input to be fully protected in that scenario.
You'll need to strip out script tags as well as JavaScript attributes on legal elements. For example, an attacker could inject malicious code into the onclick or onmouseover attributes.
Yes, the code inside input boxes is safe from scripting attacks and does not need to be encoded.