DisplayTag

option to automatically escape xml

Details

  • Type: Improvement Improvement
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 1.0 RC1
  • Fix Version/s: 1.1
  • Component/s: Decorators
  • Labels:
    None

Description

====
imported from sf tracker
id 929098
submitted by Adam Murray - admm
http://sourceforge.net/support/tracker.php?aid=929098
====

I'm displaying some strings that contain xml. These are
not diplayed by the web browser because it tries to
interpret the tag as html. To correct this I have to
use a decorator. It would be nice if there were an
option one could set for the table (or individual
columns) to automatically escape any xml in the strings
being displayed.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Maxwell Grender-Jones added a comment -
I should like to implement this feature, as we need it for our purposes as well (i.e. I'd rather not have to set a table decorator everywhere).

http://www.mail-archive.com/displaytag-devel@lists.sourceforge.net/msg01053.html

This thread discussed adding a escapeXML attribute to the table/column tag. How would this be implemented in practice? Presumably escapeXML would have to be passed through to the decorators used to display the entries of the table? I presume it would be no use to try to escapeXML elsewhere, as it would have to be done in many places (Column, TableTag etc) and should presumably be the responsibility of the decorator anyway (which might want to process escaped / unescaped xml, and then output appropriate escaped / unescaped xml as per the attribute).

Should we therefore add more decorator interfaces (to maintain backwards compatability) e.g. EscapingColumnDecorator (which could be told to escape HTML/XML or whatever, with an appropriate default)?

An easier way to do this would be to throw away the whole attribute idea, and add table.decorator to the list of configurable properties, and provide an xmlescaping decorator, s.t. that if a user wants site-wide xml escaping by default, they can set it in their displaytag.properties file.
Show
Maxwell Grender-Jones added a comment - I should like to implement this feature, as we need it for our purposes as well (i.e. I'd rather not have to set a table decorator everywhere). http://www.mail-archive.com/displaytag-devel@lists.sourceforge.net/msg01053.html This thread discussed adding a escapeXML attribute to the table/column tag. How would this be implemented in practice? Presumably escapeXML would have to be passed through to the decorators used to display the entries of the table? I presume it would be no use to try to escapeXML elsewhere, as it would have to be done in many places (Column, TableTag etc) and should presumably be the responsibility of the decorator anyway (which might want to process escaped / unescaped xml, and then output appropriate escaped / unescaped xml as per the attribute). Should we therefore add more decorator interfaces (to maintain backwards compatability) e.g. EscapingColumnDecorator (which could be told to escape HTML/XML or whatever, with an appropriate default)? An easier way to do this would be to throw away the whole attribute idea, and add table.decorator to the list of configurable properties, and provide an xmlescaping decorator, s.t. that if a user wants site-wide xml escaping by default, they can set it in their displaytag.properties file.
Hide
Permalink
Al Maw added a comment -
This should be made simple/easy for the common cases:

<display:column property="foo"/>

For columns that use a property, they should "notice" when that property is a String, and automagically XHTML escape things, unless you set escapeXml="false".

I guess this needs to be a configuration option in displaytag.properties so escapeXml="false" is the default, otherwise this would break backwards-compatibility,

<display:column>
    <c:out [...]/>
</display:column>

For columns that don't use a property, the contents should not be escaped, unless the escapeXml="true" property is set (which would be a nice convenience function.
Show
Al Maw added a comment - This should be made simple/easy for the common cases: <display:column property="foo"/> For columns that use a property, they should "notice" when that property is a String, and automagically XHTML escape things, unless you set escapeXml="false". I guess this needs to be a configuration option in displaytag.properties so escapeXml="false" is the default, otherwise this would break backwards-compatibility, <display:column>     <c:out [...]/> </display:column> For columns that don't use a property, the contents should not be escaped, unless the escapeXml="true" property is set (which would be a nice convenience function.
Hide
Permalink
Ralf Hauser added a comment -
This is important because if the property contains HTML strings, those could possibly be used to construct a cross-site-scripting attack.
In struts,

   String org.apache.struts.taglib.TagUtils.filter(String value)

protects against this.
Show
Ralf Hauser added a comment - This is important because if the property contains HTML strings, those could possibly be used to construct a cross-site-scripting attack. In struts,    String org.apache.struts.taglib.TagUtils.filter(String value) protects against this.
Hide
Permalink
fabrizio giustina added a comment -
new escapeXml attribute added to column tag for 1.1.
Tests and documentation updated
Show
fabrizio giustina added a comment - new escapeXml attribute added to column tag for 1.1. Tests and documentation updated

People

  • Reporter:
    fabrizio giustina
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: