DisplayTag
  1. DisplayTag
  2. DISPL-80

option to automatically escape xml

    Details

    • Type: Improvement Improvement
    • Status: Closed Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.0 RC1
    • Fix Version/s: 1.1
    • Component/s: Decorators
    • Labels:
      None

      Description

      ====
      imported from sf tracker
      id 929098
      submitted by Adam Murray - admm
      http://sourceforge.net/support/tracker.php?aid=929098
      ====

      I'm displaying some strings that contain xml. These are
      not diplayed by the web browser because it tries to
      interpret the tag as html. To correct this I have to
      use a decorator. It would be nice if there were an
      option one could set for the table (or individual
      columns) to automatically escape any xml in the strings
      being displayed.

        Activity

        Hide
        Maxwell Grender-Jones added a comment -
        I should like to implement this feature, as we need it for our purposes as well (i.e. I'd rather not have to set a table decorator everywhere).

        http://www.mail-archive.com/displaytag-devel@lists.sourceforge.net/msg01053.html

        This thread discussed adding a escapeXML attribute to the table/column tag. How would this be implemented in practice? Presumably escapeXML would have to be passed through to the decorators used to display the entries of the table? I presume it would be no use to try to escapeXML elsewhere, as it would have to be done in many places (Column, TableTag etc) and should presumably be the responsibility of the decorator anyway (which might want to process escaped / unescaped xml, and then output appropriate escaped / unescaped xml as per the attribute).

        Should we therefore add more decorator interfaces (to maintain backwards compatability) e.g. EscapingColumnDecorator (which could be told to escape HTML/XML or whatever, with an appropriate default)?

        An easier way to do this would be to throw away the whole attribute idea, and add table.decorator to the list of configurable properties, and provide an xmlescaping decorator, s.t. that if a user wants site-wide xml escaping by default, they can set it in their displaytag.properties file.
        Show
        Maxwell Grender-Jones added a comment - I should like to implement this feature, as we need it for our purposes as well (i.e. I'd rather not have to set a table decorator everywhere). http://www.mail-archive.com/displaytag-devel@lists.sourceforge.net/msg01053.html This thread discussed adding a escapeXML attribute to the table/column tag. How would this be implemented in practice? Presumably escapeXML would have to be passed through to the decorators used to display the entries of the table? I presume it would be no use to try to escapeXML elsewhere, as it would have to be done in many places (Column, TableTag etc) and should presumably be the responsibility of the decorator anyway (which might want to process escaped / unescaped xml, and then output appropriate escaped / unescaped xml as per the attribute). Should we therefore add more decorator interfaces (to maintain backwards compatability) e.g. EscapingColumnDecorator (which could be told to escape HTML/XML or whatever, with an appropriate default)? An easier way to do this would be to throw away the whole attribute idea, and add table.decorator to the list of configurable properties, and provide an xmlescaping decorator, s.t. that if a user wants site-wide xml escaping by default, they can set it in their displaytag.properties file.
        Hide
        Al Maw added a comment -
        This should be made simple/easy for the common cases:

        <display:column property="foo"/>

        For columns that use a property, they should "notice" when that property is a String, and automagically XHTML escape things, unless you set escapeXml="false".

        I guess this needs to be a configuration option in displaytag.properties so escapeXml="false" is the default, otherwise this would break backwards-compatibility,

        <display:column>
            <c:out [...]/>
        </display:column>

        For columns that don't use a property, the contents should not be escaped, unless the escapeXml="true" property is set (which would be a nice convenience function.
        Show
        Al Maw added a comment - This should be made simple/easy for the common cases: <display:column property="foo"/> For columns that use a property, they should "notice" when that property is a String, and automagically XHTML escape things, unless you set escapeXml="false". I guess this needs to be a configuration option in displaytag.properties so escapeXml="false" is the default, otherwise this would break backwards-compatibility, <display:column>     <c:out [...]/> </display:column> For columns that don't use a property, the contents should not be escaped, unless the escapeXml="true" property is set (which would be a nice convenience function.
        Hide
        Ralf Hauser added a comment -
        This is important because if the property contains HTML strings, those could possibly be used to construct a cross-site-scripting attack.
        In struts,

           String org.apache.struts.taglib.TagUtils.filter(String value)

        protects against this.
        Show
        Ralf Hauser added a comment - This is important because if the property contains HTML strings, those could possibly be used to construct a cross-site-scripting attack. In struts,    String org.apache.struts.taglib.TagUtils.filter(String value) protects against this.
        Hide
        fabrizio giustina added a comment -
        new escapeXml attribute added to column tag for 1.1.
        Tests and documentation updated
        Show
        fabrizio giustina added a comment - new escapeXml attribute added to column tag for 1.1. Tests and documentation updated

          People

          • Reporter:
            fabrizio giustina
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: