CODEWITHSUNDEEP
jsfjsf-2html-escape
urbanmarsupial
urbanmarsupial

Reputation: 21

h:outputText is not escaping HTML entities

I am having an issue where '<' is NOT escaped by outputText in JSF.

I am running Tomcat 7.0.40 with JSF 2.0, and have the following declarations:

<?xml version="1.0" encoding="UTF-8"?>
<f:view contentType="text/html" encoding="UTF-8">

This line breaks the HTML because the '<' is NOT escaped:

<h:outputText value="Some < text from the database"/>

The output shows "Some" and then the HTML is broken because of the un-escaped '<'

The '<' is correct in the database, and it also renders correctly in the form text box:

 <p:inputText value="#{db_data}" ... />

My web.xml file contains:

<filter>
    <filter-name>encodingFilter</filter-name>
    <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
    <init-param>
        <param-name>encoding</param-name>
        <param-value>UTF-8</param-value>
    </init-param>
    <init-param>
        <param-name>forceEncoding</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>encodingFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

A bit of my POM...

 <!-- JSF -->
    <dependency>
        <groupId>com.sun.faces</groupId>
        <artifactId>jsf-api</artifactId>
        <version>2.1.12</version>
        <exclusions>
            <exclusion>
                <groupId>javax.servlet.jsp</groupId>
                <artifactId>javax.servlet.jsp-api</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

    <dependency>
        <groupId>com.sun.faces</groupId>
        <artifactId>jsf-impl</artifactId>
        <version>2.1.12</version>
    </dependency>

    <dependency>
        <groupId>org.primefaces</groupId>
        <artifactId>primefaces</artifactId>
        <version>3.4.1</version>
    </dependency>

    <dependency>
        <groupId>org.omnifaces</groupId>
        <artifactId>omnifaces</artifactId>
        <version>1.4.1</version>
        <!-- Or 1.5-SNAPSHOT -->
    </dependency>

Of course, other HTML entities are also NOT being escaped: &, >, etc.

Regardless if I use #{output}, <h:outputText value="#{output}"/>, or <h:outputText value="#{output}" escape="true"/>, the output is NOT escaped...

Upvotes: 1

Views: 3071

Answers (2)

BalusC
BalusC

Reputation: 1108722

This is caused by a bug in Mojarra 2.1.12 which is reported as issue 2503 and fixed in 2.1.13.

So, if you upgrade to at least Mojarra 2.1.13, then this peculiar problem should disappear.

Upvotes: 1

urbanmarsupial
urbanmarsupial

Reputation: 21

This issue was resolved by upgrading to jsf-impl 2.1.26.

Upvotes: 1

Related Questions