> There are a few rare instances where this is not true
Hmm...I'm using a template system instead of JSP, but it allows access
to bean properties so the same issues apply. We allow customers some
(limited) site customizations which are frequently HTML. Of course this
could result in bad markup, so we have a sandbox to prevent screwing
up their live site, but it's not an especially rare situation. It's
interesting that no Dynamo customers have this situation.
Rod McChesney, Korobra
Nathan Abramson wrote:
>
> In Dynamo, our equivalent to the property display mechanism
> automatically encodes property values to escape special HTML
> characters (<, >, &). The reasoning is that data-supplying beans
> should have no presentation-specific code, especially code that
> formats property values into HTML. Instead, the presentation layer,
> such as JSP, should handle formatting data.
>
> By default, we assume that all property values want their data to be
> escaped - i.e., the property values do not contain HTML that needs to
> be passed through verbatim. There are a few rare instances where this
> is not true - for example, in a bulletin board system where posters
> are allowed to enter direct HTML, the beans representing each post
> might have properties such as "subject" and "body" that explicitly
> contain HTML values. To handle these cases, we've added a special
> attribute that indicates that the value is HTML and should not be
> escaped. Of course, the danger here is that posters can easily screw
> up the formatting of a page by putting in their own HTML, which is why
> we see this situation so rarely.
>
> Nathan Abramson
>
> On 4 May 1999 (+0200), Samuel ROBERT <[EMAIL PROTECTED]> wrote:
>
> > Hi all,
> >
> > I didnt see anynthing in 0.92 and 1.0 spec about encoding strings :
> >
> > If you get something in the page with (0.92):
> >
> > <DISPLAY PROPERTY=myBean:myProperty>
> >
> > The property will be displayed as is.
> > So if the property has special characters (like <, ", &, etc),
> > you may have some trouble in the resulting HTML page.
> >
> > So we need something to encode the string, in different manners,
> > HTML, URL, XML...
> >
> > The work arounds I see is :
> >
> > 1- use java code <%= encodeHTML (myBean.getMyProperty ()) %>
> > 2- encode strings in beans (ouch!)
> > 3- modify beans so that they only return a sub class of String with
> > methods
> > getURLEncode, getHTMLEncode and write :
> > <DISPLAY PROPERTY=myBean:myProperty:URLEncode>
> >
> > But none of these solution satisfies me.
> >
> > Which of these solutions do you use, or do you have another one ?
> >
> > 1.0 seems not to talk about this, but, as you can write your own tag,
> > I think this should be possible :
> >
> > <jspext:getProperty name="myBean" property="myProperty" encode="html" />
> >
> > Anyway, why isn't this a built-in in JSP engine ?
> >
> > Thanks,
> >
> > --
> > Samuel ROBERT [EMAIL PROTECTED]
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff JSP-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
