javascript JSF 请不要转义我的 html
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7442584/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
JSF please don't escape my html
提问by Franz Kafka
From the dbms I get stuff like <font color="red"> abc</font>. When it reaches the ${someManagedBean.someValue}in my xhtml file the output is sanitized. That is great for 99,999% of all cases.
从 dbms 我得到类似<font color="red"> abc</font>. 当它到达${someManagedBean.someValue}我的 xhtml 文件时,输出被清理。这对于 99,999% 的所有情况都很好。
Question: Is there some way to disable this auto escaping?
问题:有没有办法禁用这种自动转义?
Bonus Question: Can I only allow html and disallow javascript?
额外问题:我可以只允许 html 并禁止 javascript 吗?
回答by James DW
<h:outputText value="#{someManagedBean.someValue}" escape="false" />
回答by Paul Grime
https://docs.oracle.com/javaee/7/javaserver-faces-2-2/vdldocs-facelets/h/outputText.html
https://docs.oracle.com/javaee/7/javaserver-faces-2-2/vdldocs-facelets/h/outputText.html
escape=false
escape=false
Not sure about preventing JS only though. You might have to parse the HTML yourself to get rid of <script>and contents.
虽然不确定是否只阻止 JS。您可能必须自己解析 HTML 才能删除<script>和删除内容。
EDIT- Removed link (http://www.jsftoolbox.com/documentation/help/12-TagReference/html/h_outputText.html) because it was stale. Replaced with Oracle link.
编辑- 删除了链接(http://www.jsftoolbox.com/documentation/help/12-TagReference/html/h_outputText.html),因为它已经过时了。替换为 Oracle 链接。
回答by ControlPower
outputFormat tag can help you. Please check http://www.mkyong.com/jsf2/jsf-2-outputformat-example/
outputFormat 标签可以帮助你。请检查http://www.mkyong.com/jsf2/jsf-2-outputformat-example/
