本文介绍了具有html样式的JSF OutputText的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧! 问题描述 29岁程序员,3月因学历无情被辞! 我需要一个输出文本,该文本的工作方式类似于带有escape ="false"属性的h:outputText,但不允许脚本运行.稍作搜索后,我发现tr:outputFormatted可以做到这一点,但是在我们的项目中,我们不使用特立尼达.在战斧或另一个taglib中是否有类似outputFormatted的东西?例如,<h:outputText id="id" value="<b>test text</b><script type="text/javascipt">alert('I dont want these alert to show');</script>" escape="false"/>以粗体显示测试文本",但它也会弹出警报对话框,我不希望脚本运行.它可以编写脚本代码或将其删除,但不应运行.解决方案使用HTML解析器清除这些恶意内容.除其他外, Jsoup 能够做到这一点.这是来自其网站的相关摘录.因此,在编写文本时,您要做的基本上是以下操作:String sanitizedText = Jsoup.clean(rawText, Whitelist.basic()); (您可以在将文本保存到数据库之前或之后执行此操作,但是请记住,如果在不保存原始文本之前执行此操作,则无法再检测到恶意用户并进行社交操作),然后显示如下:<h:outputText value="#{bean.sanitizedText}" escape="false" />I need a output text which works like h:outputText with escape="false" attribute, but doesn't let scripts to run. After a little search I found tr:outputFormatted makes that, but in our project we doesn't use trinidad. Is there something like outputFormatted in tomahawk, or in another taglib?for example,<h:outputText id="id" value="<b>test text</b><script type="text/javascipt">alert('I dont want these alert to show');</script>" escape="false"/>that shows 'test text' bold but it popups the alert dialog too, I don't want the script to run. it can write script code or delete it but shouldn't run. 解决方案 Use a HTML parser to get rid of those malicious things.Among others, Jsoup is capable of this. Here's an extract of relevance from its site.So, all you basically need to do is the the following during preparing the text:String sanitizedText = Jsoup.clean(rawText, Whitelist.basic());(you can do it before or after saving the text in DB, but keep in mind that when doing it before without saving the original text, you can't detect malicious users and do social actions anymore)and then display it as follows:<h:outputText value="#{bean.sanitizedText}" escape="false" /> 这篇关于具有html样式的JSF OutputText的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持! 上岸,阿里云!
06-07 13:32