4

Assuming the following string template, is being given a list of Java Bean objects:

<ul>$people:{p|<li>$p.name$ $p.email</li>}$</ul>

ie the list of people might contain Person objects which you may or may not have the ability to enhance/extend:

class Person {
    ....
    public getName() { ... }
    public getEmail() { ... }
}

The getName() and getEmail() methods don't return sanitised (escaped html entities). How do you get around this?

Jay
  • 19,649
  • 38
  • 121
  • 184

2 Answers2

5

You may use a custom renderer, for example:

public static class HtmlEscapeStringRenderer implements AttributeRenderer {
    public String toString(Object o, String s, Locale locale) {
        return (String) (s == null ? o : StringEscapeUtils.escapeHtml((String) o));
    }
}

Then in the template indicate you want it escaped:

$p.name;format="html"$

That said, you may prefer to scrub the data on input, convert before sending to the template, send a decorated person to the template, etc.

public class App {
    public static void main(String[] args) {
        STGroupDir group = new STGroupDir("src/main/resource", '$', '$');
        group.registerRenderer(String.class, new HtmlEscapeStringRenderer());

        ST st = group.getInstanceOf("people");
        st.add("people", Arrays.asList(
                new Person("<b>Dave</b>", "dave@ohai.com"),
                new Person("<b>Nick</b>", "nick@kthxbai.com")
        ));

        System.out.println(st.render());
    }

    public static class HtmlEscapeStringRenderer implements AttributeRenderer {
        public String toString(Object o, String s, Locale locale) {
            return (String) (s == null ? o : StringEscapeUtils.escapeHtml((String) o));
        }
    }
}

This outputs:

<ul><li>&lt;b&gt;Dave&lt;/b&gt; dave@ohai.com</li><li>&lt;b&gt;Nick&lt;/b&gt; nick@kthxbai.com</li></ul>
Dave Newton
  • 158,873
  • 26
  • 254
  • 302
  • Thanks! Although, I think its best the "view" layer handles the formatting/escaping for the output medium (in this case html). – Jay Jan 15 '13 at 09:21
  • Not sure how to "register" the renderer. Its unclear from the doco's? – Jay Jan 15 '13 at 09:39
  • @Jacob It's clear, but it really depends on how you're using ST, I think. I've added my code, but it may or may not be directly applicable. – Dave Newton Jan 15 '13 at 12:57
  • 1
    @Jacob Not shown is a "js" escaper, based on the renderer's `s` parameter (the string passed in after `format=`).It was pretty frustrating to get things working the way I wanted--I'm completely unfamiliar with the library. So far I prefer other templating solutions, but that's due in no small part to ignorance. – Dave Newton Jan 15 '13 at 13:04
  • I've been using StringTemplate for a while now. It has become my template tool of choice. You indicated you prefer other tempting solutions? I wonder which ones. (I really like ST mainly because it goes to great lengths to be overly restrictive in terms of preventing logic appearing in template files). – Jay May 31 '13 at 02:40
  • I have yet to start using ST, but I'll need this feature. I can't post code samples yet, but I'll try to set up the renderer so that it escapes everything into HTML entities **by default**, and only prints the string unescaped, or converted into JSON, when a specific `format` is passed. That's a basic safety feature that other templating languages have and that it makes sense to have in place. – Tobia Dec 10 '14 at 17:47
5

It's not necessary to write your own renderer for this. You may use the builtin renderer org.stringtemplate.v4.StringRenderer

group.registerRenderer(String.class, new StringRenderer());

and add in your template :

<ul>$people:{p|<li>$p.name;format="xml-encode"$ $p.email;format="xml-encode"$</li>}$</ul>
Marimuthu Madasamy
  • 13,126
  • 4
  • 30
  • 52
dje-dje
  • 51
  • 1
  • 1