What I have:
I have a generic JSP page that is used throughout my application for displaying certain entities. The code that I am interested in goes like this:
<form:form modelAttribute="object"/>
<core:forEach items="${sections}" var="section" varStatus="itemStat">
<core:forEach items="${section.fields}" var="fieldDef">
<form:input path="${fieldDef.fieldName}"/>
</core:forEach>
</core:forEach>
<form:form>
For each section, and for each field in that section, I have an input having the path fieldName, which is what I want to display from each field.
What I want:
I would like instead of the input to be a simple text, like a label.
What I have tried:
I am most certain that I can do it somehow with <form:label> but I can't really make it work. Making a <form:label path="${fieldDef.fieldName}" /> just tells the browser for which field I need the label, but doesn't get the actual value from it.
I have also tried something like ${object.fieldDef.fieldName}, but in order for this to work I would have to first analyze the value of ${fieldDef.fieldName}, which would give me the name of the column, and then do a ${object.column}, but column being a variable I haven't been able to make this work in any way.
Alternative:
An alternative would be to just make the inputs as disabled and remove the border with CSS, but that would be a dirty way and from what I saw it is also tricky for IE different versions. I am sure that I can handle it directly.
I am a little intrigued by the fact that <form:input path="..."> puts into the input what it finds corresponding to that path (same goes for other form elements), but with label it works different.
So, what I want is basically simple, but I haven't managed to find a way. If someone could shed some light, that would be great. Thanks in advance !
You could look into the spring bind tag. I haven't tried using it before but this may work for you, in place of the input tag
<spring:bind path="fieldDef.fieldName">
${status.value}
</spring:bind>
reference: http://static.springsource.org/spring/docs/1.1.5/taglib/tag/BindTag.html
Instead of
<form:input path="${fieldDef.fieldName}"/>
use
<c:out value="${fieldDef.fieldName}"/>
It would display whatever value is there instead of creating a input field. Hope this helps you. Cheers.
Using the spring form tab, one option would be to use
<form:input disabled="true" path="${fieldDef.fieldName}"/>
To further make it not look like an input you could use CSS to style it to your preference.
Some css styles you could use:
background-color:#EEEEEE;border: 0px solid;
Update:
You could look into the spring bind tag. I haven't tried using it before but this may work for you, in place of the input tag
<spring:bind path="fieldDef.fieldName">
${status.value}
</spring:bind>
Related
I'm currently working on a Spring MVC project where we are migrating all our jsp files to thymeleaf. I'm aware that the spring form tag has an htmlEscape attribute that will escape user input when rendering, such as when the user submits an invalid form and the user input is rendered bound to the form. An example of this:
<form:form method="post" id="someForm" modelAttribute="${commandName}" htmlEscape="true" autocomplete="off">
<div class="form-group">
<input type="text" id="username" value="<c:out value='${inputValue}'/>"/>
<input type="password" id="password" />
<input type="submit" class="btn btn-lg btn-block-sm" value="<spring:message code="header.content.close"/>" tabindex="0" />
<input type="hidden" name="_eventId" value="continue"/>
</div>
</form:form>
This fits under the umbrella of output-escaping, which is something that happens on the server side when processing a template to render.
An example of an xss attack this prevents is if the user entered
<script>alert("gotcha");</script> for the username, and some arbitrary value for the password. The form will rerender with the entered username bound to the form. The htmlEscape="true" attribute in the form tag will cause this output to be escaped to mitigate xss. So the username field will contain <script>alert("gotcha");</script> when the bound form rerenders with the error, instead of the actually entered valid html
Is there a standard way to achieve this same functionality in thymeleaf?
A few possibilities I see:
This is already built into thymeleaf.
I'm aware that the spring thymeleaf package uses unbescape to perform output escaping on some attributes, for example SpringValueTagProcessor which I believe escapes output on th:value attributes. However, I'm not sure this is equivalent, and fear there may be security holes left unfilled if this was done in a way that only partially mitigates what the spring form htmlEscape fully mitigates.
If so, please explain how this covers the same cases that htmlEscape does.
There is an existing Spring / Spring MVC solution that is flexible enough to not rely on jsp.
If so, what?
There is a common solution to this for thymeleaf which involves some modification of the template parsing engine.
If so, please explain.
Here is a brief article to give you an idea of what I mean regarding the spring form behavior. Regarding this article, it appears that setting the defaultHtmlEscape to false globally in the web.xml only overrides the default value of HtmlEscapeTag, which appears to only work for spring tags. Thus I don't think the solution can be applied to thymeleaf.
I would appreciate any direction here.
Escaping of output text is done automatically if you use th:text. In rare cases, you can use th:utext if you want to use unescaped text, but you have to be aware of the security implications. See Process thymeleaf variable as html code and not text for some more info.
I ended up getting an answer on the GitHub discussions for the Thymeleaf project here, which I will summarize and clarify:
HTML escaping is built into Thymeleaf form elements by default.
This is evidenced by th:input processor source code. Note the use of getDisplayString which performs html output escaping via org.springframework.web.util.HtmlUtils
I went through and manually checked all the uses of getDisplayString where htmlEscape is false and can verify that in these cases, the output is HTML escaped before displaying (in the case of SpringErrorTagProcessor and SpringUErrorsTagProcessor), they don't output any content to escape (SpringSelectedValueComparator returns a boolean), or the expression is a bound object (SPELVariableExpressionEvaluator).
See GitHub issue thymeleaf/thymeleaf-docs#84 for information regarding the docs being updated accordingly.
When I use the below jstl code
<a href="http://mysite.com?id="<c:out value="${myid}"/>/><c:out value="${myid}"/></a>
the output is :
"1234"
The value 1234 corresponds to the variable value of myid but the url being generated is
"http://mysite.com?id=" so no value for myid is being generated as part of the href.
How can I amend the href so that entire href is displayed :
"http://mysite.com?id=1234"
instead of :
"http://mysite.com?id="
Ultimately, JSP/JSTL generates HTML. You're familiar with basic HTML, right?
Look closer at the generated HTML output by rightclick, View Source in browser. You'll see:
<a href="http://mysite.com?id="1234/>1234</a>
Is that valid HTML? No, you're closing the attribute value too soon with " at wrong place and you're closing the tag too soon with />. Look, the Stack Overflow HTML syntax highlighter also got confused. Instead, it should have been:
1234
Fix the HTML generator (i.e. the JSP/JSTL code) accordingly so that it generates the desired HTML:
<c:out value="${myid}"/>
Unrelated to the concrete problem, the <c:out> is only helpful in preventing XSS attack holes when redisplaying user-controlled input and actually the wrong tool to inline URL parameters. If you can guarantee that ${myid} is always a number (because it's a Long or Integer), you can even just leave it entirely out, making the code prettier to read:
${myid}
If the ${myid} is however not a guaranteed to be a number (because it's a String), then you should use <c:url> and <c:param> to properly URL-encode it:
<c:url value="http://mysite.com" var="myURL">
<c:param name="id" value="${myid}" />
</c:url>
<c:out value="${myid}" />
<c:url> tag is used to create an url. It is helpful in the case when cookies is turned off by the client, and you would be required to rewrite URLs that will be returned from a jsp page.
<c:param> tag may used as a subtag of to add the parameters in the returned URL. Using these parameters encodes the URL.
<c:url value="http://mysite.com" var="myURL">
<c:param name="id" value="${myid}" />
</c:url>
<a href="${myURL}" />${myURL}</a>
Read more from here.
I have a simple question. We can display error messages generated by validators of Spring something like the following.
<form:errors path='edId' cssStyle='font-weight: normal; color: red;'/>
I'm displaying such messages using some HTML like <ul><li></li></ul> and CSS. Therefore, even though there is no error, a blank bullet is displayed unnecessarily.
I therefore need to check conditionally on the JSP page whether the message is actually blank or not, something like,
<c:if test="${not empty edIdError}">
<form:errors path='edId' cssStyle='font-weight: normal; color: red;'/>
</c:if>
But testing this if condition requires storing the error message into some variable on JSP like <c:set var="edIdError"/> (as an example) which doesn't seem possible to me. Is it possible? Is there any other way to do this?
Anyway, I want to show the message with some HTML and CSS only when it is not empty. I'm using Spring 3.2.0.
And yes, I have a different scenario and cannot use this approach.
I have forgotten a simple thing about the <c:set> JSTL tag. It's a container tag. Therefore, it is obviously possible to enclose the <form:errors> tag within it like the following.
<c:set var="edIdError"><form:errors path='edId'/></c:set>
It sets the variable edIdError to the actual error message from Spring. So, it is now possible to check this conditionally whether it is null (and empty) or not like,
<c:if test="${not empty edIdError}">
<form:errors path='edId' cssStyle='font-weight: normal; color: red;'/>
</c:if>
There is no need to use the value attribute of the <c:set> tag in this scenario. I could use HTML and apply CSS within the <c:if> conditional block as I needed.
I'm writing a Module for Joomla! 2.5. In my Backend I've got a textarea, in which values should be written line by line. If the value is to big the line breaks and it looks really confusing and chaotic.
In normal html I would add a wrap="off" to the textarea-tag (I know it's not conform html, but it works), but the textarea is defined in the module's xml-file:
<field name="content" type="textarea" label="LWTAGCLOUD_CONTENT_LABEL" description="LWTAGCLOUD_CONTENT_DESCRIPTION" rows="20" cols="60" class="lw_tagcloud_textarea" default="VALUE; LINK"></field>
Has anyone an idea how to solve this problem?
If you cannot solve the problem using css only, and since you cannot add wrap="off" to the textarea type in Joomla, what you could do is to create a custom parameter type, the same like textarea, just with wrap=off already defined.
For more details on how to do it, have a look at http://docs.joomla.org/Creating_custom_template_parameter_types and http://www.sanjeevshrestha.com.np/2010/01/creating-color-element-in-joomla-for-custom-parameter-type/, it's not hard to make it
just use
for line break !
hope this help for anyone who ask
Is there a way to easily create a readonly version of JSP form in Spring?
i.e., I have a command object that's filled and if I show it as a form it works great, all the selects and radiobuttons get bound properly. However, my command object only holds id's of properties, not labels (i.e. and id from a select or a radiobutton list that gets bound on JSP load).
What I'd like to do is make a read only version where there'd be just a label - value list, without html objects such as inputs, selects and such.
So basically, in an edit version, there'd be something like
<form:select path="type.id" id="type">
<form:options items="${types}" itemLabel="name" itemValue="id"/>
</form:select>
but in the read only version I'd like to be able to automatically print only the exact type.name that got selected, i.e.
<c:out value="${commandName.type.name}"/>
Is there such a possibility, or do I have to mess with this in controller?
Ok so I guess there's no elegant way of matching IDs and values from model with IDs in command. Instead of doing extra work in controller, I matched the IDs on JSP, i.e.
<c:forEach var="type" items="${types}">
<c:if test="${type.id == commandName.type.id}">
<c:out value="${type.name}"/>
</c:if>
</c:forEach>
It's a bit extra work, but I'd rather do this than have a number of iterations over a List in my controller.