I have what it seems to be a very trivial question for you jsf expert out there...
I'm working in a JSF 2.0 application. Said that I have managed bean with a property containing an html portion to display to the user, which faces control should I use to emit that html directly on the page, without encoding it?
Did you try that:
<h:outputText value="#{myBean.myProperty}" escape="false"/>
By default, escape attribute is set to true in order to escape the HTML / XML characters.
Related
I'm using PrimeFaces with JSF 2.0 to build one application. I'm using PrimeFaces <p:editor> component to enable user to create rich text. But the output of this component is HTML source which look like this:
String text = "<p>This text <i>contains</i> some <b>HTML</b> code.</p>";
When I show this in a <h:outputText> as below:
<h:outputText value="#{bean.text}" />
Then it shows the HTML code as plain text:
<p>This text <i>contains</i> some <b>HTML</b> code.</p>
Is there any component which can interpret the HTML source so that e.g. <i> is actually shown as italics and <b> as bold?
This text contains some HTML code.
JSF by default escapes HTML from backing bean properties in order to prevent XSS attack holes. To disable this, just set the escape attribute of the <h:outputText> to false.
<h:outputText ... escape="false" />
This way the HTML won't be escaped and will thus be interpreted by the webbrowser.
Unrelated to the concrete problem, beware of XSS attacks as you're here basically redisplaying user-controlled input unescaped. You might want to sanitize it beforehand.
What is the general concept behind XSS?
CSRF, XSS and SQL Injection attack prevention in JSF
Server side HTML sanitizer/cleanup for JSF
Escape everything but linebreaks in h:outputText
I am new to JSF and getting very confused doing something trivial. I am making up this example here to elaborate what I am want to do:
I have a xhtml fragment, say, stockQuoteFragment.xhtml, which is backed by a ManagedBean, say, StockQuoteService.java. StockQuoteService.java has property stockID and a method getStockQuote() which has all the logic to get the stockQuote for the value set on stockID property. stockQuoteFragment.xhtml displays #stockQuoteService.stockQuote.
Now I have another page Home.xhtml page with backing bean HomeBackingBean.java with a method getUserFavoriteStockID(). I want to include content of stockQuoteFragment.xhtml in Home.xhtml passing in the value of #homeBackingBean.userFavoriteStockID to StockQuoteService.setStockID().
I am not sure how to do this in JSF/Facelets. With simple JSPs I could do this easily with a JSP include and include parameters
No.
...According to TLD or attribute directive in tag file, attribute var does not accept any expressions.
I have just tried it.
But if you use pure XML based JSF with tags, you can easily use <ui:param> as discussed here. I use JSF in JSP and for me there is no help (<c:set> is mostly useless).
Can I just do this in Home.xhtml before I ui:include stockQuoteFragment.xhtml into it:
<c:set var="#{StockQuoteService.stockID}" value="#homeBackingBean.userFavoriteStockID"/>
will that work?
I have DIV element with a header style enclosing a h:outputText but when the page renders i see the HTML is formed in such a way that my div doesnot contain the label generated by the h:outputText instead i see the label above my DIV . Am i doing it wrong? i tried f:verbatim but didn't help either
Based on your question history you're using the ancient JSF 1.1. The <f:verbatim> way should work. Perhaps you've enclosed JSF components inside <f:verbatim>. You should not do that. It should only contain raw HTML.
<f:verbatim><div></f:verbatim>
<h:outputText value="Some text." />
<f:verbatim></div></f:verbatim>
Since JSF 1.2 the <f:verbatim> is not necessary anymore. JSF 1.2 should work on all environments where JSF 1.1 is been used. I strongly recommend to upgrade.
See also:
Mix HTML and JSF in a JSF subview
What are the main disadvantages of Java Server Faces 2.0? (a bit of history)
I'm new to JSF (just started learning about it 4 days ago) and I'm a bit confused about the usage of h:outputText. I know that is a simple tag, but in most examples I've seen, it's used to output very simple (no need to escape), non-i18n text. For example (taken from here)
<h:outputText value="Transport" />
which could be replaced by
Transport
So, I'm wondering if I'm missing something or if most of the examples I've seen are overcomplicated to the point of insanity.
If you're using JSF 2.x with Facelets 2.x instead of JSP, then both are equally valid. Even more, Facelets implicitly wraps inline content in a component as represented by <h:outputText> (in other words, it will be escaped!).
Only whenever you'd like to disable escaping using escape="false", or would like to assign id, style, onclick, etc programmatically, or would like to use a converter (either explicit via converter or implicit via forClass), then you need <h:outputText>.
I myself don't use <h:outputText> whenever it is not necessary. Without it, the source code becomes better readable. You can just inline EL in template text like so #{bean.text} instead of doing <h:outputText value="#{bean.text}">. Before JSF 2.0, in JSP and Facelets 1.x, this was not possible and thus the <h:outputText> is mandatory. If your IDE gives warnings on this, it's most likely JSF 1.x configured/minded.
The example you quote is written in XHTML - which is XML. A standalone 'Transport' may not be allowed at the position you want to put it in, so that you need to "transform" it into valid xml.
IIrc this what is called facelets and the default in JSF2, while in JSF1, the presentation code could be done with JSP tags as default and facelets was an alternative that many developers were using).
h:outputText tag is required only if you are rendering the text based on some render condition.
eg: <h:outputText value="Transport" rendered="#{myBean.displayText}"/>.
If its a simple output statement then there is no need of using the tag; you could just use: Transport
I used the rich: editor component to enter rich content and I save it in a database. When I tried to display it in outputText field , rich tags are not interpreted and are displayed as simple text.
So my question is: how can I make the jsf component (or Richfaces) interpret this rich content and display it properly??
The h:outputText indeed by default escapes predefined XML/HTML entities to avoid XSS attacks. If you want to display user-controlled input unescaped, then just set the escape attribute to false.
<h:outputText value="#{bean.text}" escape="false" />
However, keep potential XSS attacks in mind. If the rich:editor isn't already sanitizing user input from XSS, then you can do this with help of among others Jsoup.