This content has been marked as final.
Show 6 replies
-
1. Re: Displaying HTML formatted text
gjeudy Apr 8, 2008 9:41 PM (in response to oleg_p)I haven't tried it myself but have you tried:
<f:verbatim>html content</f:verbatim>
?
-
2. Re: Displaying HTML formatted text
mail.micke Apr 8, 2008 9:49 PM (in response to oleg_p)Hi,
have you tried<div> <h:outputText value="#{myBean.htmlFormattedText}" escape="false"/> </div>
- Micke
-
3. Re: Displaying HTML formatted text
oleg_p Apr 8, 2008 11:36 PM (in response to oleg_p)OK, both options work fine :-)
Thanks a lot!
-
4. Re: Displaying HTML formatted text
christian.bauer Apr 8, 2008 11:53 PM (in response to oleg_p)And if the value of myBean.htmlFormattedText was input from a user, you now have a wonderful XSS security hole :)
-
5. Re: Displaying HTML formatted text
oleg_p Apr 9, 2008 1:25 AM (in response to oleg_p)Hi Christian,
Yes, you're right, unluckily this is a big issue :-(
At first I've tried to move towards the direction of BBcode, but now have decided to remain with a small white list of HTML tags/attributes (even without links and images) + TinyMCE WYSIWYG editor.
I don't know whether this approach will lead to XSS holes, users will tell later :-)
-
6. Re: Displaying HTML formatted text
maruthyshetty Dec 7, 2011 7:08 AM (in response to oleg_p)Thanks Mikael Andersson its works for me fine :-)