Christopher Schultz wrote:
Vinodtr,
vinodtr wrote:
I am now using Apache Velocity 1.4 in my project. I would like to
incorporate the escaping HTML feature in my project without bringing in
Velocity 1.5. I could find that there is a tool called EscapeTool to
achieve
it. But to do that, i need to change all my velocity templates to enclose
all fields inside $esc.html($form.bean.XXXX).
This is the best way to achieve HTML escaping. If you'd like, you can
write a short macro like this:
#macro(htmlEscape $text)#if($text)$esc.html($text)#end#end
So, IOW, every time, that you want to write $foo you write instead:
#hmlescape($foo)
Doesn't that get a bit ugly and repetitious? If you want to apply the
same routine to every output reference on the page, shouldn't there be a
way of doing that?
This will allow you to change the implementation more easily in the
future if you wish.
I would like to if there is any way to achieve HTML escaping as a
whole with
velocity 1.4 itself.
The only way to do this would be to override the implementation of
Velocity's "toString" behavior when writing variable values to an output
stream.
You wouldn't want to do this globally, though, because some values
should not be HTML escaped.
I think your best bet is to escape them individually as you have
demonstrated above. Yes, it's a lot of work, but that tends to be the
case when you want to go back and add something like this. That's the
penalty for not planning ahead.
I can't see how this is a penalty for not planning ahead. It is simply a
characteristic of the problem space that you will very likely want to
escape the output of variables this way.
Actually, it seems to me that it's the penalty for using an underpowered
tool. Something like this is so basic for a templating tool that outputs
to the web that it is staggering that in its 8th year of existence,
Apache Velocity completely fails to address this.
In FreeMarker, for example, you just put your page (or the block to
which you want this to apply) inside an escape block as follows:
<#escape x as (x)?html>
</#escape>
Of course, you sometimes need to turn it off, so for those cases, you have:
<#unescape>
...
</#unescape>
within the escape block.
For more complete information, see:
http://freemarker.org/docs/ref_directive_escape.html
Jonathan Revusky
--
lead developer, FreeMarker project, http://freemarker.org/
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
