1

I have a database column that contains the following:

    <p><span style="color: #ff0000"><strong>$9,500,000.00</strong></span></p>
    <p>$11,000,000.00</p>

In JSF 1.2 and Icefaces 1.8.2, this data would output fine. Under JSF 2.1 and Icefaces 3.0, I get what you see - just plain text.

Here's a snippet of code and the value is in the amount field:

        <ice:column>
            <f:facet name="header">
                <ice:outputText value="Amount"/>
            </f:facet>
            <ice:outputText value="#{offDoc.amount}"/>
        </ice:column>

I tried to wrap the ice:outputText tag with a tag but it didn't work. Any ideas?

Patrick Dezenzio
  • 27
  • 7
  • I'm not seeing "just plain text" in your first output. I see styled text. Not clear what the issue is. – Marc Apr 29 '12 at 04:10
  • My column in the database contains an amount that includes html tag information as indicated above. What I get in production today is the actual formatting - $9,500,000 with bold and colored text. What I see now is just the html value unformatted. I'm not sure what else to use to get it to convert using the styles. – Patrick Dezenzio Apr 29 '12 at 04:26
  • Are you saying that IceFaces is escaping your HTML instead of interpreting it? – Marc Apr 29 '12 at 04:27
  • That's correct. For some reason going to JSF 2.1 and Icefaces 3 has resulted in escaping it instead of interpreting it. – Patrick Dezenzio Apr 29 '12 at 04:35
  • JSF indeed implicitly escapes HTML to prevent XSS attack holes. Please be careful that the particular data isn't controlled by external users. After all, storing markup in a database is a very poor practice, unless user-controlled ... which should be whitelisted. See also http://stackoverflow.com/questions/7722159/csrf-xss-and-sql-injection-attack-prevention-in-jsf/7725675#7725675 – BalusC Apr 29 '12 at 04:35
  • Yes I only allow certain users to add markup to the database. No external user could ever do it. Given that this is a special case, how would you do it? The users have specified that amounts be allowed to contain markup such as bold and the color red (to indicate a negative value)? I allow them access using an Admin page that requires security rights. All other users have read only access that provides no way for XSS or SQL injection. – Patrick Dezenzio Apr 29 '12 at 04:53

1 Answers1

1

You need something like this to turn off HTML escaping:

<ice:outputText value="#{offDoc.amount}" escape="false"/>

See here: http://res.icesoft.org/docs/latest/tld/ice/outputText.html

If the "escape" attribute is not present, or it is present and its value is "true" all angle brackets should be converted to the ampersand xx semicolon syntax when rendering the value of the "value" attribute as the value of the component. If the "escape" attribute is present and is "false" the value of the component should be rendered as text without escaping.

Marc
  • 11,403
  • 2
  • 35
  • 45
  • That was the answer I needed. I really need to get Netbeans back up using 6.5.1 and Windows 7 64 bit. Using Notepad sucks these days:-) I missed the escape in the component suite documentation. – Patrick Dezenzio Apr 29 '12 at 04:57