Hi All,
I have a problem with a rich:pickList rendering s:selectItems unescaped. The values being displayed in my pickList are grabbed from the DB, where they were first entered by the user - so it is possible that a user may have put something nasty like '<script>alert('badness')<\script>' in there.
I've noticed that the default setting for s:selectItems is to automatically escape any selectItem object it generates (i.e escape=true
), so I'm unsure why my values are being displayed unescaped.
I am also using a converter for my pickList, however the value it returns from getAsString() is always escaped.
Here is the code for my rich:pickList:
<rich:pickList id="aPickList" value="#{pickList.groups}" converter="#{aConverter}" valueChangeListener="#{pickList.selectionChanged}" copyControlLabel="Select" copyAllControlLabel="Select All" removeControlLabel="Restore" removeAllControlLabel="Restore All"> <s:selectItems value="#{groups}" var="group" label="#{group.name}" /> </rich:pickList>
It'd be great if you could let me know either what I'm doing wrong, or if this is a common problem with the pickList tag. I'm using seam 2.1.1.GA, on JBoss 4.2.3.GA.
I think I've covered everything relevant, let me know if you need more info.
Regards, Marcus