html-escape

I was looking through the Underscore.js api and I noticed that _.escape escapes & , < , > , " , ' , and / characters. What surprised me was escaping / . Is there a reason to escape / characters that I don't know about? EDIT : Alright, apparently, it is recommended by OWASP as it "helps end a HTML entity". Escape the following characters with HTML entity encoding to prevent switching into any execution context, such as script, style, or event handlers. Using hex entities is recommended in the spec. In addition to the 5 characters significant in XML (&, <, >, ", '), the forward slash is included

I have the following code: <h:outputText value="#{bean.shortDescription}" escape="false" /> The result is: <p><b>Location. </b> <br /> a The string from #{bean.shortDescription} is being taken from an XML response that is escaped: <p><b>Location. </b> <br /> a If I make the same output text as above, but instead of taking the response from the XML, I just put the escaped string that comes from the response, e.g.: <h:outputText value="<p><b>Location. </b> <br /> a" escape="false" /> Then the result is: Location. a How can I properly render the HTML tags I get from the XML? I do not want to

I'm using JSF with Primefaces, I want to use a buttonset of radiobutton with only images but I can't make it work. Here's the code: <p:selectOneButton value="#{LoginBean.user}" > <f:selectItem itemLabel="<img src="/myApp/faces/javax.faces.resource/myImg1.png?ln=img"/>" itemValue="1"/> <f:selectItem itemLabel="<img src="/myApp/faces/javax.faces.resource/myImg2.png?ln=img"/>" itemValue="2"/> </p:selectOneButton> I tried escaping characters with "escape", "escapeItem" and even "itemEscaped" attributes. I read about the last one in this other question . The solution in that question uses <h

How do I escape/sanitize a QString that contains HTML? I.e. showInBroswser(escaped(str)) == showInNotepad(str); PenguinCoder Qt 5 Use QString::toHtmlEscaped() QString src; Qstring html = src.toHtmlEscaped(); showInBrowser(html) == showInNotepad(str); Reference: http://doc.qt.io/qt-5/qstring.html#toHtmlEscaped Qt 4 Use Qt::escape . #include <QtGui/qtextdocument.h> QString src; Qstring html = Qt::escape(src); showInBrowser(html) == showInNotepad(str); Reference: http://doc.qt.io/qt-4.8/qt.html#escape gremwell Just to bring this answer up with the times, Qt 5.1 has QString::toHtmlEscaped() . If

This question already has an answer here: Component to inject and interpret String with HTML code into JSF page 1 answer I am using JSF 1.2 I am trying to print text using <h:outputtext> <h:outputText id="warningDose" styleClass="redText" value="#{templatePrescriptionMaintenanceBackingBean.doseWarningText}"></h:outputText> Now this variable contains text with html tags. <b> , <i> etc... But that displays content as it is instead of actual bold or italic html output. Is there any way we can make this <h:outputText> such that it gives html response? You should set in the h:outputText tag: escape

I have the following code: <h:outputText value="#{bean.shortDescription}" escape="false" /> The result is: <p><b>Location. </b> <br /> a The string from #{bean.shortDescription} is being taken from an XML response that is escaped: <p><b>Location. </b> <br /> a If I make the same output text as above, but instead of taking the response from the XML, I just put the escaped string that comes from the response, e.g.: <h:outputText value="<p><b>Location. </b> <br /> a" escape="false" /> Then the result is: Location. a How can I properly render the HTML tags I get from the XML? I do not want to