rich:editor problem. How to displaying the input text with JSF h:outputText (escape problem)

babazs Mar 9, 2010 6:53 AM

HY!

What is the official solution to displaying a text that is typed in a rich:editor (because it generates html characters)

If I use <h:outputText value="#{richeditorvalue.text}" escape="true" />

It will show html characters instead of formatted text.

If I use <h:outputText value="#{richeditorvalue.text}" escape="false" />

I will give a possibility to Cross Site Scripting.

Or, I should use escape=false with server validation?

So which is the good way?

1. Re: rich:editor problem. How to displaying the input text with JSF h:outputText (escape problem)

ilya_shaikovsky Mar 9, 2010 9:16 AM (in response to babazs)

http://seamframework.org/Documentation/CrossSiteScripting

check section about <s:formattedText/>
Actions
2. Re: rich:editor problem. How to displaying the input text with JSF h:outputText (escape problem)

babazs Mar 9, 2010 9:51 AM (in response to ilya_shaikovsky)

thanks.
It would be a good solution, but Seam text + rich:editor had a lot of problem based in my experiences.
Actions
3. Re: rich:editor problem. How to displaying the input text with JSF h:outputText (escape problem)

nbelaevski Mar 10, 2010 5:33 AM (in response to babazs)

If SeamText doesn't satisfy your requirements, then you should use escape=false with server validation.
Actions