Hi, currently we don't have support in Sling for encoding outputted text according to HTML. Values of properties are directly written into the output stream. If these values contain angle brackets the content will be written out as an html tag which is usally not what you want. So the correct way is to encode outgoing text. Now, it's usually up to the application developer to decide if something needs to be escaped or not. Usually most of the text is escaped will sometimes it might make sense to not escape as you might have stored html snippets that you want to directly include.
The usage of the encoding should be as easy as possible and nearly require no extra work for the app developer. I briefly discussed this with Felix and we came up with this idea: 1. We add a new utility class RequestUtil to the API and add a static method encodeHTML(String) to this utility class. 2. We add a new interface HtmlEncodingValueMap which extends the ValueMap interface and is just a marker interface. The idea is that impl of this interface act like a value map but encode all string values to html. 3. We add a new adapter factory which maps a resource to a HtmlEncodingValueMap. The implementation will adapt the resource to a ValueMap and add a wrapper around the value map which implements the html encoding. 4. We add an utility method to the ResourceUtil class to directly get a HtmlEncodingValueMap for a resource like we have the getValueMap already. 5. Optional: we could add a method to HtmlEncodingValueMap which allows to get the unencoded value. So whenever you output html, you use the html encoding value map. Only if you know that you want to output html snippets and you're really sure that the snipped is not malicous, you use the value map. WDYT? Regards Carsten -- Carsten Ziegeler [email protected]
