0

I'm working to upgrade an old web program written in PHP with a MySQL database as the backend.

The database is full of text like this <P><STRONG>

Which obviously is an encoded form of <P><STRONG><FONT size=4>

How can I get a JSF file to render that properly ? Outputting it as escaped text gives me the 1st line, and unescaped text gives me the 2nd line.

I want the HTML to appear as html in the document, I'll accept the risk of doing so :)

Am I better off decoding the text in the database ? I'm not sure that this is a format I want to work with in the future, but I have so little experience with HTML entities that I'm just not sure the best long-term route.

Anything from technical knowhow to the ramblings of wise old sages is welcome here.

JHarnach
  • 3,944
  • 7
  • 43
  • 48
  • Sorry, but what do you mean by _"I want the HTML to appear as html in the document?"_ Do you want to literally display the text `

    ` or do you want to **render** a paragraph with bold text, size 4?

     – Matt Ball Aug 23 '11 at 23:12
  • 1
    By the way, the HTML `` tag is deprecated since 1998. – BalusC Aug 23 '11 at 23:21
  • Originally I'd wanted to display the document with rendered markup, when the DB contains the HTML for a table, I'd want to render a table. Now that I'm rereading my original question, I'm wondering if that's the best approach. – JHarnach Aug 24 '11 at 15:09

1 Answers1

4

How can I get a JSF file to render that properly ? Outputting it as escaped text gives me the 1st line, and unescaped text gives me the 2nd line.

Wrap StringEscapeUtils#unescapeHtml() in an EL function (example here) and display it in an <h:outputText> with escape="false".

<h:outputText value="#{util:unescapeHtml(bean.value)}" escape="false" />

The function will turn &lt; to < and so on, the escape="false" will prevent JSF from re-escaping it in order to prevent user-controlled input from being literally interpreted which can possibly create XSS holes.

Am I better off decoding the text in the database? I'm not sure that this is a format I want to work with in the future, but I have so little experience with HTML entities that I'm just not sure the best long-term route.

Not storing HTML in the DB at all is the best option. If there is really no other option, then I'd opt for decoding them straight in the DB.

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • What is this notation `util:unescapeHtml`? Is that a Java 8 method reference with one colon? – jordanpg Jul 27 '15 at 22:54
  • @jordanpg: Click the "example here" link. – BalusC Jul 28 '15 at 05:11
  • So it's a custom Facelets (JSP?) tag inside a value expression? Is that really the intended use case of custom tags? IOW, what is the advantage of doing that over just using a managed bean, eg. `utilBean.unescape(x)`? – jordanpg Jul 28 '15 at 12:55
  • It's not a custom tag. It's an EL function. It isn't possible to invoke static methods on a (stateful!) managed bean. – BalusC Jul 28 '15 at 13:42
  • Looks like a custom tag to me: http://docs.oracle.com/javaee/7/tutorial/jsf-custom008.htm#BNAWN I also note in passing that I never saw "EL function" in the official docs: http://docs.oracle.com/javaee/7/tutorial/jsf-el.htm#GJDDD – jordanpg Jul 28 '15 at 13:49
  • Also, I still don't see what the advantage of defining `util:method(x)` over `utilBean.method(x)` is. Doesn't need to be static. – jordanpg Jul 28 '15 at 13:50