JSF 2.0;逸出= QUOT假QUOT;替代防止XSS? [英] JSF 2.0; escape="false" alternative to prevent XSS?
问题描述
在我的jsf webapplication中,我使用messages.properties输出一些文本。这个文本可能有html换行符,所以格式化outputtext。
In my jsf webapplication i'm using a messages.properties to output some text. This text could have html line breaks so format the outputtext.
如果我将escape =false属性设置为outputtext,那一切正常。
That all works fine, if i set the escape="false" attribute to the outputtext.
问题是,这个值为false的属性不会阻止vor XSS(跨站点脚本),所以我删除了这个属性并使用default-valuetrue。
The problem is, this attribute with value "false" doesn't prevent vor XSS (cross site scripting) so i remove this attribute and use default-value "true".
所以,我不想将所有文本行拆分为我的messages.properties中的单独属性,如下例所示:
So, i dont want to split all text lines to seperate properties in my messages.properties like in this example:
mytext = This is my text<br />with line break and user value {0}...
之后:
mytext1 = This is my text
mytext2 = with line break and user value {0}...
有什么办法,除了escape = false但是这会阻止xss?
is there any way, other than escape="false" but that prevent from xss?
谢谢!
推荐答案
应该可以使用 http中的/cd/E17802_01/j2ee/javaee/javaserverfaces/2.0/docs/pdldocs/facelets/fn/tld-summary.htmlrel =nofollow>标准jstl函数: //java.sun.com/jsp/jstl/functions 命名空间:
It should be possible to just escape the user supplied parameter using the standard jstl functions in the http://java.sun.com/jsp/jstl/functions
namespace:
<h:outputFormat value="#{bundle.myMessage}" escape="false">
<f:param value="#{fn:escapeXml(param)}"/>
</h:outputFormat>
这篇关于JSF 2.0;逸出= QUOT假QUOT;替代防止XSS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!