Reputation: 13
Escape everything but linebreaks in h:outputText
I have text that the user input in a textarea and I want to display it on a another page.
The first issue is that the linebreaks coming from the textarea are \r\n instead of br, but I could simply just replace all of them. The actual problem I need help with is displaying it after that:
h:outputText by default escapes everything, so to get the linebreaks to work I need to do escape="false", but for obvious reasons I don't want the user to be able to mess up the page by inputting other HTML tags or even worse, Javascript. So I need to somehow escape everything but the linebreaks.
How should I do this? Or is there maybe a different JSF component that would make this more simple?
Unfortunately pre tags or CSS white-space are not an option.
Upvotes: 1
Views: 1331
Answers (1)
Reputation: 1108642
Instead of replacing \n by <br> and using <h:outputText escape="false">, you can also just display the text preformatted so that \n appears as a true newline. You can use the element's CSS white-space property for this which can be set to pre, pre-wrap or pre-line.
E.g.
<h:outputText value="#{bean.text}" styleClass="preformatted" />
with
.preformatted {
white-space: pre;
}
If you really intend to present the text as unescaped HTML, then you can sanitize XSS attack vectors away by using a HTML parser capable of the job, such as Jsoup. See also this answer which I posted yesterday: JSF OutputText with html style.
Upvotes: 2
Related Questions
- h:outputText line break for long words within strings
- h:outputText does not break \r\n characters into new lines
- Making h:outputtext don't print a line break on a jsf page
- jsf output html-formatted text
- How to display a line break with outputText?
- Trying to add new line characters while using JSF h:outputText and Managed Beans
- JSF OutputText with html style
- h:outputText is not escaping HTML entities
- How to write single and double quotes in h:outputText
- JSF - <h:outputText> (escape special chars)