JSF 2.0; escape = "false" alternative to prevent XSS?

In my jsf webapplication I am using message.properties to output some text. This text may have html line breaks, so format the output text.

Everything works fine if I set the escape = "false" attribute on the output text.

The problem is that this "false" attribute does not interfere with vor XSS (cross site scripting), so I remove this attribute and use the default "true".

So, I don't want to split all text lines into separate properties in my .properties messages like in this example:

mytext = This is my text<br />with line break and user value {0}...

      

after

mytext1 = This is my text
mytext2 = with line break and user value {0}...

      

is there any way other than escape = "false" but that prevents xss from being used?

thank!

+3


source to share


2 answers


It should be possible to just exit a user supplied parameter using the standard jstl functions in the namespace http://java.sun.com/jsp/jstl/functions

:



<h:outputFormat value="#{bundle.myMessage}" escape="false">
    <f:param value="#{fn:escapeXml(param)}"/>
</h:outputFormat>

      

+4


source


XSS cannot happen if you are outputting some HTML from a secure source that is not entered or edited by the user. You can use it safely escape="false"

in this case.



+1


source







All Articles