4

I'm currently working in a Spring Boot project with Thymleaf 2.1.3 . I'm adding some meta tags to a page, by doing:

<meta name="pagename" th:content="${pagename}"/>

The pagename variable is filled in by the controller. This works, but for the fact that pagename is HTML escaped. This is incorrect behaviour for my application. I sanitize the data myself, after that it should be place raw inside the content tag.

I've looked around and i found th:inline, which doesn't work for content tags. Also found th:utext, but that also doesn't work for th:content..

Does anybody know a solution for this problem?

Thanks!

Nick
  • 1,441
  • 11
  • 22

1 Answers1

1

As far as I know Thymeleaf will always escape content going into HTML attributes, consistent with the the XML/HTML spec which dictates that content should be escaped. That said there may be a couple of workarounds as discussed on the forum by others trying to do the same thing: http://forum.thymeleaf.org/How-to-get-unescaped-text-into-title-attribute-td4027791.html

One involves creating your own attribute processor, the other is a syntax hack.

Do you have to sanitise the content yourself first? Can you not let Thymeleaf do it in the view layer?

Tom Bunting
  • 1,845
  • 16
  • 24