I have a json:object I'm serving. As part of that json document, I want to serve some pre-encoded json. unfortunately, once served, the pre-encoded json is re-encoded. Is there a way to escape that property so it's simply served?
<json:property name="data"><c:out value="${overlay.boundry}"/></json:property>
I assume you mean that overlay.boundry been HTML encoded. If so, then you just need to remove the c:out tag like this:
<json:property name="data">${overlay.boundry}</json:property>
or, if you really like JSTL tags:
<json:property name="data"><c:out value="${overlay.boundry}" escapeXml="false" /></json:property>
Related
So we are storing html in out data model. I need to output this into a freemarker template:
example:
[#assign value = model.value!]
${value}
value = '<p>This is <a href='somelink'>Some link</a></p>'
I have tried [#noescape] but it throws an error saying there is no escape block. see FREEMARKER: avoid escaping HTML chars. This solution did not work for me.
[#noescape] or <#noescape> is only valid when used inside an [#escape] tag. Your data is probably stored with the HTML encoded. You need to get the backend to un-encode the html.
Otherwise you'll need to do something like...
${value?replace(">", ">")?replace("<", "<")}
But that isn't a good approach because it won't catch all the encoded values and shouldn't be done in the view layer.
I'm using Thymeleaf to process html templates, I understood how to append inline strings from my controller, but now I want to append a fragment of HTML code into the page.
For example, lets stay that I have this in my Java application:
String n="<span><i class=\"icon-leaf\"></i>"+str+"</span> \n";
final WebContext ctx = new WebContext(request, response,
servletContext, request.getLocale());
ctx.setVariable("n", n);
What do I need to write in the HTML page so that it would be replaced by the value of the n variable and be processed as HTML code instead of it being encoded as text?
You can use th:utext attribute that stands for unescaped text (see documentation). Use this with caution and avoid user input in th:utext as it can cause security problems.
<div th:remove="tag" th:utext="${n}"></div>
If you want short-hand syntax you can use following:
[(${variable})]
Escaped short-hand syntax is
[[${variable}]]
but if you change inner square brackets [ with regular ( ones HTML is not escaped.
Example within tags:
<div>
[(${variable})]
</div>
Staring with Thymeleaf 3.0 the html friendly tag would be:
<div class="mailbox-read-message" data-th-utext="*{body}">
How can we implement ESAPI output encoding in an application using java and spring-mvc.
Read many posts and saw this:
<%# page import="org.owasp.esapi.*" %>
<input type="hidden" name="hidden" value="<%out.print(ESAPI.encoder().encodeForHTML(content));%>"/>
But, in my application all the jsps use spring form tags like the following,
<td>Number:
<form:input path="someNo" size="20" maxlength="18" id="firstfield" onkeypress="return PressAButton('submithidden');"/></td>
How can I have ESAPI implementation for above code? is there any other way of implementing output encoding like creating a filter or something? Any suggestions are greatly appreciated!
After researching spring tags a bit, it appears that the data-binding happens in framework code thus preventing you from applying any escaping in the jsp.
One, semi-quick win could be defaulting all output to escape HTML. Add this entry in web.xml:
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
The only problem here is that output-escaping is a BIG pain... the rules for html escaping are different when your value is going to be passed as data to an HTML attribute or a Javascript function. And there could be some parts of your application where you DO NOT want to html escape, but you should be able to override those with the form tag attribute htmlEscape="false" when you need to.
What you need is to be able to hook the part of Spring tags where it is binding the HTML to the form, but you need to be able to do it so you can escape based on where its being placed. Escaping rules are different for an HTMLAttribute as opposed to plain HTML and if the value is going to be passed as data to a javascript function. So Spring's solution only defends one category of attack.
These are the only ways out I see, all of them will require work:
Use JSTL tags instead of Spring tags so you can write your variables with ${thisSyntax} and wrap them in esapi tags like this:
<c:out value="<esapi:encodeForHTML>${variable}</esapi:encodeForHTML>"/>
Follow a solution like what #A. Paul put forward, where you do your context escaping back on the controller side. I'm aware you feel that this isn't an option, but the next solution I'm putting forward is untested.
Implement your own tag library that subclasses [org.springframework.web.servlet.tags.form.InputTag][1], specifically the method writeValue. While esapi prevents alot, I would recommend looking at owasp's new Encoder project to show you exactly how tricky output encoding is. Ideally your tag library will allow you to utilize either esapi's Encoder or this new API.
Just a thought not sure if this is what you are looking for.
Can you use the below code in Java and change the data in the bean itself and then send in the user interface.
if ( ESAPI.securityConfiguration().getLogEncodingRequired() ) {
data = ESAPI.encoder().encodeForHTML(message);
}
You can check the below url.
http://www.jtmelton.com/tag/esapi/
I have a string which contains raw data, which I want escaped. The string also contains markers which I want to replace with span tags.
For example my string is
"blah {0}something to span{1} < random chars <"
I would like the above to be rendered within a div, and replace {0} with and {1} with
I have tried a number of things, including doing the substitution in my controller, and trying to use the th:utext attribute, however I then get SAX exceptions.
Any ideas?
You can do this using i18n ?
something like:
resource.properties:
string.pattern=my name is {0} {1}
thymeleaf view:
<label th:text="#{__${#string.pattern('john', 'doe')}__}"></label>
The result should be:
my name is john doe
Im not sure this is a good way. But I hope it could help you
It looks using message parameters is the right approach to output formatted strings. See http://www.thymeleaf.org/doc/usingthymeleaf.html#messages
I suspect you need to pass character entity reference in order to avoid SAX exceptions
<span th:utext = "#{string.pattern(${'<span>john</span>'}, ${'<span>doe</span>'})}"/>
Alternatively place the markup in your .properties file:
string.pattern=my name is <span>{0}</span> <span>{1}</span>
I am trying to get a request string that has the character # and my parameter is got only until the #. But the thing is that I need to have this character, can't remove it.
Any idea?
Encode the # if it has to be there. A literal # indicates a fragment id and can't be used in a URI for any other purpose. w3schools has encoding tables so you can look up the values yourself, too.
You need to encode the parameter value correctly.
If the URL is generated by a JSP, make sure to use the JSTL c:url tag:
<c:url value="/path/to/myServlet">
<c:param name="param1" value="#paramValue"/>
</c:url>
If you're using straight Java, use URLEncoder.encode().
If the URL is static, use %23paramValue instead of #paramValue