In Dynamo, our equivalent to the property display mechanism
automatically encodes property values to escape special HTML
characters (<, >, &). The reasoning is that data-supplying beans
should have no presentation-specific code, especially code that
formats property values into HTML. Instead, the presentation layer,
such as JSP, should handle formatting data.
By default, we assume that all property values want their data to be
escaped - i.e., the property values do not contain HTML that needs to
be passed through verbatim. There are a few rare instances where this
is not true - for example, in a bulletin board system where posters
are allowed to enter direct HTML, the beans representing each post
might have properties such as "subject" and "body" that explicitly
contain HTML values. To handle these cases, we've added a special
attribute that indicates that the value is HTML and should not be
escaped. Of course, the danger here is that posters can easily screw
up the formatting of a page by putting in their own HTML, which is why
we see this situation so rarely.
Nathan Abramson
On 4 May 1999 (+0200), Samuel ROBERT <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> I didnt see anynthing in 0.92 and 1.0 spec about encoding strings :
>
> If you get something in the page with (0.92):
>
> <DISPLAY PROPERTY=myBean:myProperty>
>
> The property will be displayed as is.
> So if the property has special characters (like <, ", &, etc),
> you may have some trouble in the resulting HTML page.
>
> So we need something to encode the string, in different manners,
> HTML, URL, XML...
>
> The work arounds I see is :
>
> 1- use java code <%= encodeHTML (myBean.getMyProperty ()) %>
> 2- encode strings in beans (ouch!)
> 3- modify beans so that they only return a sub class of String with
> methods
> getURLEncode, getHTMLEncode and write :
> <DISPLAY PROPERTY=myBean:myProperty:URLEncode>
>
> But none of these solution satisfies me.
>
> Which of these solutions do you use, or do you have another one ?
>
> 1.0 seems not to talk about this, but, as you can write your own tag,
> I think this should be possible :
>
> <jspext:getProperty name="myBean" property="myProperty" encode="html" />
>
> Anyway, why isn't this a built-in in JSP engine ?
>
> Thanks,
>
> --
> Samuel ROBERT [EMAIL PROTECTED]
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
