shale-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gvanma...@comcast.net (Gary VanMatre)
Subject Re: Clay not escaping strings?
Date Thu, 09 Aug 2007 15:53:27 GMT
>From: "Richard Eggert" <reggert@proteus-technologies.com> 
>
> I'm using Clay with HTML templates in an application on which I am working. In 
> several cases, I refer to managed bean properties directly in my template text 
> (e.g., <p>#{mybean.prop}</p>). I recently noticed MyFaces' ReducedHTMLParser

> throwing exceptions about malformed HTML. Not finding any problems in my HTML 
> template itself, I looked at the generated page source and discovered that in 
> cases where a managed bean property contained special characters (in my case, 
> less-than and greater-than signs), Clay is apparently not escaping them before 
> rendering them. 
> 
> Is this a bug in Clay or a "feature" (or a configuration problem on my part)? 
> 


This is a "feature" :-).  The way that Clay works is that any markup in the 
template that doesn't map to a JSF component is treated as "verbatim".
If the markup contains a value binding expression, it's evaluated but there
is not an attempt to identify (parse out) a inline expression within the markup.

In the example above, the value expression would equate to the following:

ValueBinding vb = FacesContext.getCurrentInstance().createValueBinding("<p>#{mybean.prop}</p>");


Something you might try is wrapping these expressions is a span tag 
mapped to an outputText component.

Consider:

<p><span jsfid="outputText" escape="true">#{mybean.prop}</span></p>).




> Is there any workaround aside from putting calls to 
> org.apache.commons.lang.StringEscapeUtils.escapeHtml() in every managed bean 
> "getter" method that returns a String or wrapping all references in > escape="true">?

> 
> I'm using Shale v1.0.4. 
> 
> 
> Rich Eggert 
> Member of Technical Staff 
> Proteus Technologies, LLC 
> http://www.proteus-technologies.com 


Gary

> 
> 
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message