I used the rich: editor component to enter rich content and I save it in a database. When I tried to display it in outputText field , rich tags are not interpreted and are displayed as simple text.
So my question is: how can I make the jsf component (or Richfaces) interpret this rich content and display it properly??
The h:outputText indeed by default escapes predefined XML/HTML entities to avoid XSS attacks. If you want to display user-controlled input unescaped, then just set the escape attribute to false.
<h:outputText value="#{bean.text}" escape="false" />
However, keep potential XSS attacks in mind. If the rich:editor isn't already sanitizing user input from XSS, then you can do this with help of among others Jsoup.
Related
I'm using PrimeFaces with JSF 2.0 to build one application. I'm using PrimeFaces <p:editor> component to enable user to create rich text. But the output of this component is HTML source which look like this:
String text = "<p>This text <i>contains</i> some <b>HTML</b> code.</p>";
When I show this in a <h:outputText> as below:
<h:outputText value="#{bean.text}" />
Then it shows the HTML code as plain text:
<p>This text <i>contains</i> some <b>HTML</b> code.</p>
Is there any component which can interpret the HTML source so that e.g. <i> is actually shown as italics and <b> as bold?
This text contains some HTML code.
JSF by default escapes HTML from backing bean properties in order to prevent XSS attack holes. To disable this, just set the escape attribute of the <h:outputText> to false.
<h:outputText ... escape="false" />
This way the HTML won't be escaped and will thus be interpreted by the webbrowser.
Unrelated to the concrete problem, beware of XSS attacks as you're here basically redisplaying user-controlled input unescaped. You might want to sanitize it beforehand.
What is the general concept behind XSS?
CSRF, XSS and SQL Injection attack prevention in JSF
Server side HTML sanitizer/cleanup for JSF
Escape everything but linebreaks in h:outputText
Will <h:inputHidden> tag do the html encoding for the attribute value it renders?
I cannot find any documentation on this.
In JSF, everything is HTML-encoded, unless you explicitly set escape="false" attribute on the tag/component supporting that attribute (such as <h:outputText>).
This thus also covers the value of any <h:inputXxx> component.
See also:
CSRF, XSS and SQL Injection attack prevention in JSF
We have an accessibility requirement to render certain command links with additional "off screen" text for screen readers. So we want to end up rendering something like (attributes omitted for clarity)
<a>Edit Details<span class="hiddenOffScreen"> for John Smith</span></a>
The problem is the standard jsf1.2 <h:commandLink> tag does not respect the escape attribute. I tried something like <h:commandLink escape="false" value="#{linkText}"/> where linkText evaluates to the contents of the a tag shown above but this renders the span tag literally (i.e escapes the < and >)
How best to go about meeting this requirement? I can of course easily add the span later with JQuery however, for my own education I'd like to have a try with a custom renderer - but not sure how I would hook in with the existing default renderer which adds the "onClick" event handler and associated javascript. My google-foo seems to have failed me when searching for custom commandLink renderer.
Bear in mind, this is JSF 1.2 and we cannot use any third party tag libraries as we're running on a braindead very old version of WebSphere Portal Server.
You can nest content, including other tags and/or implicit text, within the <h:commandLink> tag, instead of specifying text within its value attribute, to achieve your functionality:
<h:commandLink ...>
<h:outputText .../>
<span class="hidden"></span>
#{bean.someText}
</h:commandLink>
This will render exactly what you want.
Use < or > to write < >
I have what it seems to be a very trivial question for you jsf expert out there...
I'm working in a JSF 2.0 application. Said that I have managed bean with a property containing an html portion to display to the user, which faces control should I use to emit that html directly on the page, without encoding it?
Did you try that:
<h:outputText value="#{myBean.myProperty}" escape="false"/>
By default, escape attribute is set to true in order to escape the HTML / XML characters.
I'm new to JSF (just started learning about it 4 days ago) and I'm a bit confused about the usage of h:outputText. I know that is a simple tag, but in most examples I've seen, it's used to output very simple (no need to escape), non-i18n text. For example (taken from here)
<h:outputText value="Transport" />
which could be replaced by
Transport
So, I'm wondering if I'm missing something or if most of the examples I've seen are overcomplicated to the point of insanity.
If you're using JSF 2.x with Facelets 2.x instead of JSP, then both are equally valid. Even more, Facelets implicitly wraps inline content in a component as represented by <h:outputText> (in other words, it will be escaped!).
Only whenever you'd like to disable escaping using escape="false", or would like to assign id, style, onclick, etc programmatically, or would like to use a converter (either explicit via converter or implicit via forClass), then you need <h:outputText>.
I myself don't use <h:outputText> whenever it is not necessary. Without it, the source code becomes better readable. You can just inline EL in template text like so #{bean.text} instead of doing <h:outputText value="#{bean.text}">. Before JSF 2.0, in JSP and Facelets 1.x, this was not possible and thus the <h:outputText> is mandatory. If your IDE gives warnings on this, it's most likely JSF 1.x configured/minded.
The example you quote is written in XHTML - which is XML. A standalone 'Transport' may not be allowed at the position you want to put it in, so that you need to "transform" it into valid xml.
IIrc this what is called facelets and the default in JSF2, while in JSF1, the presentation code could be done with JSP tags as default and facelets was an alternative that many developers were using).
h:outputText tag is required only if you are rendering the text based on some render condition.
eg: <h:outputText value="Transport" rendered="#{myBean.displayText}"/>.
If its a simple output statement then there is no need of using the tag; you could just use: Transport