java - JSF 2.0; escape="false" alternative to prevent XSS?

Question

Welcome To Ask or Share your Answers For Others

java - JSF 2.0; escape="false" alternative to prevent XSS?

asked Oct 24, 2021 in Technique[技术] by 深蓝 (71.8m points)

java - JSF 2.0; escape="false" alternative to prevent XSS?

In my jsf webapplication i'm using a messages.properties to output some text. This text could have html line breaks so format the outputtext.

That all works fine, if i set the escape="false" attribute to the outputtext.

The problem is, this attribute with value "false" doesn't prevent vor XSS (cross site scripting) so i remove this attribute and use default-value "true".

So, i dont want to split all text lines to seperate properties in my messages.properties like in this example:

mytext = This is my text<br />with line break and user value {0}...

after:

mytext1 = This is my text
mytext2 = with line break and user value {0}...

is there any way, other than escape="false" but that prevent from xss?

thanks!

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Answer

深蓝 · Answer 1 · 2021-10-23T19:39:48+0000

It should be possible to just escape the user supplied parameter using the standard jstl functions in the http://java.sun.com/jsp/jstl/functions namespace:

<h:outputFormat value="#{bundle.myMessage}" escape="false">
    <f:param value="#{fn:escapeXml(param)}"/>
</h:outputFormat>

Categories

java - JSF 2.0; escape="false" alternative to prevent XSS?

java - JSF 2.0; escape="false" alternative to prevent XSS?

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags