4

I use thymeleaf and spring. I try to do inline javascript.

<script th:inline="javascript">

    $("#genericTable").bootstrapTable({
        url: /*[[${url}]]*/ 'generic',
        ...
     });

On the server side I do

 model.addAttribute("url", "/rest/vehicles");

I get

url: "\/rest\/vehicles",

Why some caracters are added to the string?

Edit

with

url: /*[[@{${url}}]]*/ 'generic',

first / is like removed, so it's invalid to call...

David
  • 1,920
  • 25
  • 31
robert trudel
  • 5,283
  • 17
  • 72
  • 124
  • Sorry, I don't get it : which extra characters do you get? – Luca Masera Sep 25 '17 at 19:49
  • i updated, \ character is added – robert trudel Sep 25 '17 at 19:54
  • J think that's because it makes a kind of escaping of the /. That's why for URLs there's a special syntax. See here, there's a section about URL rewriting. http://www.thymeleaf.org/doc/articles/standardurlsyntax.html – Luca Masera Sep 25 '17 at 20:03
  • Have you tried to generate it outside the Javascript comment? For example, as a text directly in HTML (using the @, of course). In case what do you get? – Luca Masera Sep 25 '17 at 20:28
  • if i use only: @{${url}} nothing is generated – robert trudel Sep 26 '17 at 11:27
  • Sorry, I mean outside the whole javascript block. Check what's generated when you just write it as a URL in HTML code. All the examples are always with something like "/path/to/@{value}". Maybe it ignores the first /. – Luca Masera Sep 26 '17 at 12:23
  • I know it looks ugly, but does escaping the forward slash cause any problems? That is, even though `url: "\/rest\/vehicles"` appears in the JavaScript _code_, isn't the resulting string still `"/rest/vehicles"`? If you do a `console.log(…)` of the value, won't it log `"/rest/vehicles"`? What is the actual problem here other than aesthetics of the JavaScript source code? – Garret Wilson Apr 28 '23 at 15:48

3 Answers3

8

[(...)] should help

Example with problem I am facing:

$.getJSON('[[@{/management/users/search/unit/}]]' + value, function(data) {

Is transformed to:

$.getJSON('"\/management\/users\/search\/unit\/"' + value, function(data) {

Using [(...)]:

$.getJSON('[(@{/management/users/search/unit/})]' + value, function(data) {

Is transformed to:

$.getJSON('/management/users/search/unit/' + value, function(data) {

From Thymeleaf 3.0 docs

Note that, while [[...]] corresponds to th:text (i.e. result will be HTML-escaped), [(...)] corresponds to th:utext and will not perform any HTML-escaping.

David
  • 1,920
  • 25
  • 31
  • Assume that there is code like: $.getJSON("[(@{/some/url(param=${someUserInput})})]") , there is a risk of javascript code injection vulnerability here... For this specific scene, while s is generated string, s.replace("\/", "/") might be a better choice, I guess. – Mackerel May 10 '22 at 08:08
3

You can try something like this:

<script type="text/javascript" th:inline="javascript">
  /*<![CDATA[*/
    $("#genericTable").bootstrapTable({
        url: /*[[${url}]]*/ 'generic',
        ...
    });  
  /*]]>*/
</script>
juanlumn
  • 6,155
  • 2
  • 30
  • 39
0

I know the question is a little old but the answer don't correct the problem, or the same I faced. To remove escaping I suggest to write code like this (double quotes are here only for javascript purpose) :

<script type="text/javascript" th:inline="javascript">
  /*<![CDATA[*/
    $("#genericTable").bootstrapTable({
        url: "[(@{ ${url} })]",
        ...
    });  
  /*]]>*/
</script>
Cyrille Perrot
  • 51
  • 4