Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
410 views
in Technique[技术] by (71.8m points)

java - JSF 2.0; escape="false" alternative to prevent XSS?

In my jsf webapplication i'm using a messages.properties to output some text. This text could have html line breaks so format the outputtext.

That all works fine, if i set the escape="false" attribute to the outputtext.

The problem is, this attribute with value "false" doesn't prevent vor XSS (cross site scripting) so i remove this attribute and use default-value "true".

So, i dont want to split all text lines to seperate properties in my messages.properties like in this example:

mytext = This is my text<br />with line break and user value {0}...

after:

mytext1 = This is my text
mytext2 = with line break and user value {0}...

is there any way, other than escape="false" but that prevent from xss?

thanks!

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

It should be possible to just escape the user supplied parameter using the standard jstl functions in the http://java.sun.com/jsp/jstl/functions namespace:

<h:outputFormat value="#{bundle.myMessage}" escape="false">
    <f:param value="#{fn:escapeXml(param)}"/>
</h:outputFormat>

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...