1

I am having an issue where '<' is NOT escaped by outputText in JSF.

I am running Tomcat 7.0.40 with JSF 2.0, and have the following declarations:

<?xml version="1.0" encoding="UTF-8"?>
<f:view contentType="text/html" encoding="UTF-8">

This line breaks the HTML because the '<' is NOT escaped:

<h:outputText value="Some < text from the database"/>

The output shows "Some" and then the HTML is broken because of the un-escaped '<'

The '<' is correct in the database, and it also renders correctly in the form text box:

 <p:inputText value="#{db_data}" ... />

My web.xml file contains:

<filter>
    <filter-name>encodingFilter</filter-name>
    <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
    <init-param>
        <param-name>encoding</param-name>
        <param-value>UTF-8</param-value>
    </init-param>
    <init-param>
        <param-name>forceEncoding</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>encodingFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

A bit of my POM...

 <!-- JSF -->
    <dependency>
        <groupId>com.sun.faces</groupId>
        <artifactId>jsf-api</artifactId>
        <version>2.1.12</version>
        <exclusions>
            <exclusion>
                <groupId>javax.servlet.jsp</groupId>
                <artifactId>javax.servlet.jsp-api</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

    <dependency>
        <groupId>com.sun.faces</groupId>
        <artifactId>jsf-impl</artifactId>
        <version>2.1.12</version>
    </dependency>

    <dependency>
        <groupId>org.primefaces</groupId>
        <artifactId>primefaces</artifactId>
        <version>3.4.1</version>
    </dependency>

    <dependency>
        <groupId>org.omnifaces</groupId>
        <artifactId>omnifaces</artifactId>
        <version>1.4.1</version>
        <!-- Or 1.5-SNAPSHOT -->
    </dependency>

Of course, other HTML entities are also NOT being escaped: &, >, etc.

Regardless if I use #{output}, <h:outputText value="#{output}"/>, or <h:outputText value="#{output}" escape="true"/>, the output is NOT escaped...

urbanmarsupial
  • 21
  • 1
  • 5
  • Are you using this specific example or are you using a property String that holds a `<`? – SJuan76 Nov 19 '13 at 00:49
  • I am retrieving a String from the database (into a backing bean String field) that contains an unencoded '<' in it... – urbanmarsupial Nov 19 '13 at 01:06
  • I have also been trying with a hard-coded string directly in the XHTML to make sure it's not a DB driver issue. – urbanmarsupial Nov 19 '13 at 01:08
  • Whatever the database is returning, the JSF control should escape it correctly so that should not be the issue. – SJuan76 Nov 19 '13 at 01:14
  • I guess you might have to set `escape=true` in `` to escape XML characters – SRy Nov 19 '13 at 01:31
  • Never seen this. This is definitely not a configuration setting. Which JSF impl/version are you using? Any chance that you've copypasted/modified some JSF impl specific source codes in your project? – BalusC Nov 19 '13 at 10:34
  • I'm using jsf-impl 2.1.12. I added my POM settings above... – urbanmarsupial Nov 19 '13 at 17:13
  • According Mojarra issue database, there was indeed a bug like that in 2.1.12. I posted an answer. – BalusC Nov 19 '13 at 19:11

2 Answers2

1

This issue was resolved by upgrading to jsf-impl 2.1.26.

urbanmarsupial
  • 21
  • 1
  • 5
1

This is caused by a bug in Mojarra 2.1.12 which is reported as issue 2503 and fixed in 2.1.13.

So, if you upgrade to at least Mojarra 2.1.13, then this peculiar problem should disappear.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555