I'm using reading text from properties file. But when I'm using it in JavaScript like this:
alert('<fmt:message key="mykey" />');
If there's single quote defined in properties file for this key, there will be an error. If I change the single quotes to double quotes, the error will occur if double quotes defined in properties file.
Any ideas?
You'll have to dynamically escape the string using, for example, Apache commons StringEscapeUtils. You could simply wrap this method into a custom EL function or JSP tag.
You could use the same technique as handlebars: put your messages in <script> tags:
<script type="text/fmt" id="mykey"><fmt:message key="mykey" /></script>
then:
alert(document.getElementById("mykey").innerHTML);
Or, if you're using jQuery:
alert($("#mykey").text());
Related
I am migrating some JSP files to Thymeleaf and I have found the following problem. In the original JSP code there is a file that is included in lots of other JSP files that has a line like the following:
<c:set var="myVar" value="data-x=50 data-y=37" />
In the files which include this one the variable myVar is used like this:
<div class="myClass" ${myVar}>
setting several attributes that are used everywhere all at once. The main point here is that you set up myVar in one file and its values are used in all other files. If you need to change the value of the attributes you only need to change one file.
Trying to replicate this in Thymeleaf, I tried using the th:attr attribute in the following way. First, I set a variable in the model like this:
model.addAttribute("myVar", "data-x=50, data-y=37");
and then in Thymeleaf I do:
<div class="myClass" th:attr="${myVar}" >
but it does not work, it throws
TemplateProcessingException: Could not parse as assignation sequence: "${myVar}"
I've also have thought of using Javascript to add the attributes dynamically using JQuery, but I would prefer to do it in other way, since I did not built the application, it has a lot of scripting and I fear doing it through Javascript can have side effects.
Is there any way I can write directly in the HTML output using Thymeleaf?
One way you can accomplish this with preprocessing. Something like this will work with your example:
<div class="myClass" th:attr="__${myVar}__" />
(This does rely on ${myVar} being a valid string for the th:attr property, so you'll have to be careful with it.)
I am trying to use reverse routing to access static Assets using:
#routes.Assets.at("path", "file")
However I would like to define file as dynamic part as well like:
#for(c <- models.WebContent.find.all) {
<img src="#routes.Assets.at("/contentfiles/useruploads", "#c.picture1")">
}
Statement above however results in HTML code:
<img src="/contentfiles/userupload/#c.picture1">
Where you can see dynamic part #c.picture1 is not interpreted as dynamic filename but is parsed as raw text resulting in broken link. What I am expecting is that both dynamic parts are interpreted as dynamic resulting in eg.:
<img src="/contentfiles/userupload/1776446515.jpg">
How to define it so both dynamic statements are parsed as dynamic?
PS: I have tried to escape it as ##c.picture or $#c.picture with no luck
Thank you
When using variables as a function argument use it w/out # char and also not within quotes, otherwise as you can is it's used as a... String
<img src="#routes.Assets.at("/contentfiles/useruploads", c.picture1)">
The same as in condition:
Use:
#if(foo==bar){...}
NOT
#if(#foo==#bar){...}
I have a custom tag that has no body at all. I'm trying to programmatically replace the empty body with, for simplicity's sake,
[<c:out value="SUCCESS!"/>]
The goal is to see "[SUCCESS!]" displayed by the JSP which uses the tag, but all I see is "[]" and if I look at the generated source code, I can see that the c:out statement is written on the page between the brackets, but not interpreted.
Is there a common way to achieve this ? The final goal will be to use other custom tags instead of the "c:out" tag. The tags/content will come from a database.
I tried different techniques with SimpleTagSupport and BodyTagSupport but none of those were successfull. In fact I'm not sure if it is technically possible to do it, since, the tag has already been interpreted at that time.. But then how should this be done ?
Server tags (like your custom tag or JSTL tags) get transformed to Java code when the JSP is translated into a servlet. For example, the following JSP code:
<c:out value="FooBar" />
gets translated to something like this inside the servlet:
....
OutTag outTag = (OutTag) tagHandlerPool.get(OutTag.class);
outTag.setPageContext(pageContext);
outTag.setParent(null);
outTag.setValue(new String("FooBar"));
int evalOut = outTag.doStartTag();
....
In your custom tags you can call other Java classes/methods and can write HTML code (not JSP code) to the response.
The [<c:out value="SUCCESS!"/>] is not interpreted because at this level it's just a string that gets written directly to the response.
My input html is
<p>
<span>first
</span>
<span>Google Cloud Connect for Microsoft Office</span>
</p>
I am using xslt1.0 to convert the html to xml..my output xml is
<Relationship Id="rId12700703801" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink" Target="http://tools.google.com/dlpage/cloudconnect#utm_campaign=launch&utm_source=en-na-us-gdb-GCC-Appsperience_02242011&utm_medium=blog" TargetMode="External"/></Relationships>
with error "XML Parsing Error: not well-formed" in the location =(after launch&utm_source) in target attribute..
I want to escape the special characters present in url through xslt and make the xml.
Please help me. Thanks in advance..
are you generating the input html? if so you can use URLEncoder.encode to properly encode the string so the transformer doesn't complain about the syntax.
If this is just a random html page, and you have no control over it, then you probably need to use some html parser, such as tagsoup, et. al, to pre-correct it as most html files are not properly formatted.
XSLT expects XML as input, not HTML. You need to turn your HTML into XML if you want to transform it with XSLT.
I think it might be possible to do it with HTML Tidy.
In files.jsp I am using following anchor and JSTL c:url combination -
<c:url value="downloadfile.jsp" var="dwnUrl" scope="request">
<c:param name="fileType" value="PDF"/>
<c:param name="fileId" value="${file.fileId}"/>
<c:param name="fileName" value="${file.fileName}"/>
</c:url>
Download
On downloadfile.jsp getting the file name value in JavaScript variable as -
selectedFile = <c:out value='${param.fileName}'>
Now, if file name contains some extra character e.g. XYZ 2/3" Technical then on the other page I am getting some different character as - XYZ 2/3#034; Technical
However, if I print request.getParameter("fileName"), its giving correct name. What is wrong?
The <c:out> by default escapes XML entities, such as the doublequote. This is done so to get well-formed XML and to avoid XSS.
To fix this, you should either get rid of <c:out>, since JSP 2.0, EL works perfectly fine in template text as well:
selectedFile = '${param.fileName}';
.. or, if you're still on legacy JSP 1.2 or older, set its escapeXml attribute to false:
selectedFile = '<c:out value="${param.fileName}" escapeXml="false">';
Note that I have added the singlequotes and semicolon to make JS code valid.
Needless to say, you'll need to keep XSS risks in mind if you do so.
The funky characters in your <c:param> values are being URL encoded by <c:url> as they should be. As far as downloadfile.jsp is concerned, the servlet container takes care of URL decoding incoming variables so you don't have to. This is normal behavior and shouldn't pose any problems for you.
If you simply turn escapeXml to false as #BalusC suggests, you will add an XSS vunerability to your page. Instead, you should encode the user input at the time of injection into the destination language, and escape characters that would be evaluated in the destination language. In this case, if the user input contained a single quote character (I'm assuming the string literal in your original example was supposed to be wrapped in single quotes, but the same would be true for double quotes if you were using them), any JavaScript code that followed it would be interpreted by the browser and executed. To safely do what you are trying to do, you should change the line in downloadfile.jsp to:
selectedFile = '${fn:replace(param.fileName, "'", "\'")}';
That will escape only single quotes, which would otherwise end the string literal declaration.
If you were using double quotes, then this would be appropriate:
selectedFile = "${fn:replace(param.fileName, '"', '\"')}";
It is worth noting that escapeXml could be appropriate for escaping JavaScript string literals (and it often is) when the string literal will eventually be dumped into HTML markup. However, in this case, the value should not be XML escaped as it is evaluated in the context of a file path, rather than in the context of HTML.