Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    TextAreaItem and escaping HTML

    Hi everyone,

    the SmartGWT Version is "v11.1p_2018-07-21/Pro Deployment (built 2018-07-21)".

    The main Problem is a strange behaviour with HTML Text inside of a TextAreaItem. The String inside our Database contains HTML-tags and we want to display the String without those tags. We use this TextAreaItem for displaying purposes only, so .setCanEdit() and .setCanFocus() are both set to false. I know that the default behaviour of this Item with .setCanEdit(false) will lead into escaped HTML Tags as mentioned in your JavaDocs. But i assume a call of .setEscapeHTML(false) should show the Text inside without HTML Tags. But this doesn't work.

    Maybe anyone got a clue or the same Problem.


    Kind regards,
    Dave

    #2
    Hi dave2018,

    IMHO your assumtion is wrong. setEscapeHTML(false) will make a "Hello <b>world</b>" show as "Hello world", hence introducing issues with Cross Site Scripting.
    setEscapeHTML(true) will make it show as "Hello <b>world</b>". In order generate "Hello world" you need to transform the DB contents yourself, either client or serverside.

    Best regards
    Blama

    Comment


      #3
      Hi Blama,

      thanks for your response. I've found a alternative way for displaying HTML text.

      Our solution is to use a "BlurbItem". This will lead to interpreted html tags and our users can style their text as they like.

      Best regards,
      Dave

      Comment


        #4
        Hi dave2018,

        I got your requirement wrong. You DO want the user designed text with user-markup. Please note that such things will introduce CSS vulnerabilities (think of a user entered name <script>alert('Hello');<script> ).
        Sanitizing this is a hard task and even lightweight markup languages like Markdown fail at it (e.g. 1, 2, 3).

        You'll definitely need a HTML Cleaner like suggested here by Isomorphic.

        Best regards
        Blama

        Comment

        Working...
        X