Hi All,

I have a problem with a rich:pickList rendering s:selectItems unescaped. The values being displayed in my pickList are grabbed from the DB, where they were first entered by the user - so it is possible that a user may have put something nasty like '<script>alert('badness')<\script>' in there.

I've noticed that the default setting for s:selectItems is to automatically escape any selectItem object it generates (i.e escape=true), so I'm unsure why my values are being displayed unescaped.

I am also using a converter for my pickList, however the value it returns from getAsString() is always escaped.

Here is the code for my rich:pickList:

<rich:pickList
  id="aPickList"
  value="#{pickList.groups}"
  converter="#{aConverter}"
  valueChangeListener="#{pickList.selectionChanged}"
  copyControlLabel="Select"
  copyAllControlLabel="Select All"
  removeControlLabel="Restore"
  removeAllControlLabel="Restore All">                              
  <s:selectItems value="#{groups}" var="group" label="#{group.name}" />
</rich:pickList>

It'd be great if you could let me know either what I'm doing wrong, or if this is a common problem with the pickList tag. I'm using seam 2.1.1.GA, on JBoss 4.2.3.GA.

I think I've covered everything relevant, let me know if you need more info.

Regards, Marcus