发表新帖
发表新帖

JSF 2.0; escape=“false” alternative to prevent XSS?

前端 未结
关注
2 1097
南方客
南方客 2020-12-18 12:35

In my jsf webapplication i\'m using a messages.properties to output some text. This text could have html line breaks so format the outputtext.

That all works fine, i

相关标签:
2条回答
  • 旧时难觅i
    2020-12-18 12:57

    It should be possible to just escape the user supplied parameter using the standard jstl functions in the http://java.sun.com/jsp/jstl/functions namespace:

    <h:outputFormat value="#{bundle.myMessage}" escape="false">
    <f:param value="#{fn:escapeXml(param)}"/>
</h:outputFormat>
    0 讨论(0)
  • 误落风尘
    2020-12-18 13:03

    XSS can't happen if you're outputting some HTML from a safe source which is not input or editable by the user. You can safely use escape="false" in this case.

    0 讨论(0)
 看不清?
提交回复
热议问题