Using spring form, we display an input like this:
<%# taglib uri="http://www.springframework.org/tags/form" prefix="form"%>
...
<form:input type="text" cssClass="w50" path="lastName" cssErrorClass="w50 error" placeholder="${msgLastName}" />
Sometimes, the users lastname value may content single quote, eg "Job's". This probkem is that we clean the lastname with the OWASP HTML Project, which causes the lastname to be
Job's
When the input is displayed into the browser, the ascii value is also displayed - whici is bad. I would like to display simply "Job's" into the input.
I tested with a simple JSP input, eg.
<input type="text" cssClass="w50" value="${myobject.lastName}" cssErrorClass="w50 error" placeholder="${msgLastName}" />
In this case, the rendering is fine.
My conclusion is that the problem comes from spring, but how to avoid it?
Finally found the answer.
Spring HTML-escapes the values, it doesn't really output
Job's
but
Job's
As there is an HTML character, it isn't parsed as ascii.
Using Chrome, if I inspect the DOM I cannot see the
&
but if I "edit as HTML" then I see it.
Related
My application uses Struts messages resources to show message on JSP file.
<message-resources parameter="ApplicationResources" />
This is what I have specified in my Struts XML file.
In my web application I want to give user the freedom to change the label name to some other name. How can I change the label name in Struts at run time, so that updated label is displayed on the screen.
I have tried updating the label using following code in Action class, but it updates the alert message shown on the screen and not the label.
ActionMessages messages = new ActionMessages();
messages.add("App.Screen.ScreenHeading", new ActionMessage("App.Screen.ScreenHeading", "My Heading"));
saveMessages(request, messages);
Actions messages are used with the validation. Better you don't try to set request attributes using this approach because action message are incompatible to the newer versions of Struts framework and you might have problems upgrading those messages. Another approach is to use a form bean or request scope variable to provide the text used to substitute for the message displayed by bean:message tag.
request.setAttribute("App_Screen_ScreenHeading", "My Heading");
the JSP
<%# taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<td width="120" class="labelTextSelect"><span class="mandatory">*</span>
<c:if test="${empty App_Screen_ScreenHeading}">
<bean:message key="App.Screen.ScreenHeading" />
</c:if>
<c:if test="${not empty App_Screen_ScreenHeading}">
<c:out value=${App_Screen_ScreenHeading}"/>
</c:if>
</td>
When I use the below jstl code
<a href="http://mysite.com?id="<c:out value="${myid}"/>/><c:out value="${myid}"/></a>
the output is :
"1234"
The value 1234 corresponds to the variable value of myid but the url being generated is
"http://mysite.com?id=" so no value for myid is being generated as part of the href.
How can I amend the href so that entire href is displayed :
"http://mysite.com?id=1234"
instead of :
"http://mysite.com?id="
Ultimately, JSP/JSTL generates HTML. You're familiar with basic HTML, right?
Look closer at the generated HTML output by rightclick, View Source in browser. You'll see:
<a href="http://mysite.com?id="1234/>1234</a>
Is that valid HTML? No, you're closing the attribute value too soon with " at wrong place and you're closing the tag too soon with />. Look, the Stack Overflow HTML syntax highlighter also got confused. Instead, it should have been:
1234
Fix the HTML generator (i.e. the JSP/JSTL code) accordingly so that it generates the desired HTML:
<c:out value="${myid}"/>
Unrelated to the concrete problem, the <c:out> is only helpful in preventing XSS attack holes when redisplaying user-controlled input and actually the wrong tool to inline URL parameters. If you can guarantee that ${myid} is always a number (because it's a Long or Integer), you can even just leave it entirely out, making the code prettier to read:
${myid}
If the ${myid} is however not a guaranteed to be a number (because it's a String), then you should use <c:url> and <c:param> to properly URL-encode it:
<c:url value="http://mysite.com" var="myURL">
<c:param name="id" value="${myid}" />
</c:url>
<c:out value="${myid}" />
<c:url> tag is used to create an url. It is helpful in the case when cookies is turned off by the client, and you would be required to rewrite URLs that will be returned from a jsp page.
<c:param> tag may used as a subtag of to add the parameters in the returned URL. Using these parameters encodes the URL.
<c:url value="http://mysite.com" var="myURL">
<c:param name="id" value="${myid}" />
</c:url>
<a href="${myURL}" />${myURL}</a>
Read more from here.
I am changing some code from a home grown MVC to Spring 2.5 MVC. We have a form to edit an object, so I am using formBackingObject() in my controller to populate the form fields with the current values. In the old MVC, we used the JSTL fmt taglib to format date and money fields. This was nice because the formatting was in the presentation layer.
Now with Spring, the fields are populated correctly with formBackingObject(), but Spring doesn't recognize the the value attribute in the form:input element:
<%# taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
<form:form method="post" commandName="editProgramCommand" name="editTitleForm">
<fmt:formatNumber type="NUMBER" value="${program.price}" var="formattedPrice" minFractionDigits="2" />
<form:input path="price" id="price" value="${formattedPrice}" />
... other fields
</form:form>
Thoughts on how to properly format values in a Spring form? I'm not finding much on the web, so I figure its either a really simple syntax error, or I'm completely on the wrong track.
Spring form:input recognize the value of the input from its path attribute and not from the value attribute. If you see the spring form tld, there is no attribute value for the form input tag.
One way which i think is format the values in the back end and bring and set it in the front end.
Otherwise you can use the conventional spring:bind instead of spring form. Spring Bind Reference
I'm validating the input field that's bound to path. I'm using hibernate-validator 4 for this.
Now I'd like to highlight the age label so it pops out of the page (bold, red colour etc.).
However I'm wondering what the cleanest way to do this is.
<spring:hasBindErrors name="*"/> seems to be for the whole form object instead of for a specific field. Any input is appreciated.
Spring provides special jsp tags for forms, which support this task (highlighing in case of error):
For example this jsp
...
<%# taglib prefix='form' uri='http://www.springframework.org/tags/form'%>
...
<form:form method="post"
commandName="myCommand">
<form:input path="name"
cssClass="normalLayout"
cssErrorClass="normalLayout error"/>
<form:errors path="name"
cssClass="errorMessage"/>
</form:form>
...
In this case: the input field uses the css class "normalLayout" if every thing is ok, and the css classes "normalLayout" and "name" if there is a validation error for the field.
form:errors is to print the error message generated while validation.
#see http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/view.html#view-jsp-formtaglib
What's the proper way to create a hyperlink in Spring+JSP? There must be a better way than just coding in the <a href="..."> tag. Take for example a page that displays people. The URL is people.htm. The corresponding controller gets people from the database and performs optional column sorting. The JSP might look like:
<table>
<tr>
<td>Name</td>
<td>Age</td>
<td>Address</td>
</tr>
...
This seems bad as the URL people.htm is hardcoded in the JSP. There should be a way to have Spring automatically build the <a> tag using the URL defined in servlet.xml.
Edit: Maybe I should be using a Spring form.
The only thing that comes to mind is the JSTL standard tag <c:url>. For example:
<c:url var="thisURL" value="homer.jsp">
<c:param name="iq" value="${homer.iq}"/>
<c:param name="checkAgainst" value="marge simpson"/>
</c:url>
Next
Now this won't get you servlet mapping or the like but nothing will. It's not something you could really do programmatically (after all, a servlet can and usually does map to a range of URLs). But this will take care of escaping for you.
I haven't seen this kind of functionality in pure spring (although grails offers things like that).
For your specific case you might consider removing the file part and only using the query string as the href attribute:
<td>Name</td>
<td>Age</td>
<td>Address</td>
These links append the query string to the path component of the current url.
In Spring MVC in jsp:
You can use:
General Hyperlink:
Click Here
If passing from controller:
Click Here
Jsp tags
<c:url var="URL" value="login">
<c:param name="param" value="${parameter}"/>
</c:url>
Click Here
Hope it Helps.. :)
Better way to create link is:
Name
<%=request.getContextPath() %> makes sure that correct URI will be taken into account.
"sort" parameter you can get over with hidden field and change a value with a little bit of javascript:
<input type="hidden" name="sort" id="sort" value="name">
And controller method should look like this:
#RequestMapping("/people")
public String createUser(String sort) {
...
}
Import this package in your jsp file
<%# taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
when you want to redirect new page or url then use for eg.
<a href='<c:url value="url of next page" />'>Home</a>