I'm validating the input field that's bound to path. I'm using hibernate-validator 4 for this.
Now I'd like to highlight the age label so it pops out of the page (bold, red colour etc.).
However I'm wondering what the cleanest way to do this is.
<spring:hasBindErrors name="*"/> seems to be for the whole form object instead of for a specific field. Any input is appreciated.
Spring provides special jsp tags for forms, which support this task (highlighing in case of error):
For example this jsp
...
<%# taglib prefix='form' uri='http://www.springframework.org/tags/form'%>
...
<form:form method="post"
commandName="myCommand">
<form:input path="name"
cssClass="normalLayout"
cssErrorClass="normalLayout error"/>
<form:errors path="name"
cssClass="errorMessage"/>
</form:form>
...
In this case: the input field uses the css class "normalLayout" if every thing is ok, and the css classes "normalLayout" and "name" if there is a validation error for the field.
form:errors is to print the error message generated while validation.
#see http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/view.html#view-jsp-formtaglib
Related
I'm currently working on a Spring MVC project where we are migrating all our jsp files to thymeleaf. I'm aware that the spring form tag has an htmlEscape attribute that will escape user input when rendering, such as when the user submits an invalid form and the user input is rendered bound to the form. An example of this:
<form:form method="post" id="someForm" modelAttribute="${commandName}" htmlEscape="true" autocomplete="off">
<div class="form-group">
<input type="text" id="username" value="<c:out value='${inputValue}'/>"/>
<input type="password" id="password" />
<input type="submit" class="btn btn-lg btn-block-sm" value="<spring:message code="header.content.close"/>" tabindex="0" />
<input type="hidden" name="_eventId" value="continue"/>
</div>
</form:form>
This fits under the umbrella of output-escaping, which is something that happens on the server side when processing a template to render.
An example of an xss attack this prevents is if the user entered
<script>alert("gotcha");</script> for the username, and some arbitrary value for the password. The form will rerender with the entered username bound to the form. The htmlEscape="true" attribute in the form tag will cause this output to be escaped to mitigate xss. So the username field will contain <script>alert("gotcha");</script> when the bound form rerenders with the error, instead of the actually entered valid html
Is there a standard way to achieve this same functionality in thymeleaf?
A few possibilities I see:
This is already built into thymeleaf.
I'm aware that the spring thymeleaf package uses unbescape to perform output escaping on some attributes, for example SpringValueTagProcessor which I believe escapes output on th:value attributes. However, I'm not sure this is equivalent, and fear there may be security holes left unfilled if this was done in a way that only partially mitigates what the spring form htmlEscape fully mitigates.
If so, please explain how this covers the same cases that htmlEscape does.
There is an existing Spring / Spring MVC solution that is flexible enough to not rely on jsp.
If so, what?
There is a common solution to this for thymeleaf which involves some modification of the template parsing engine.
If so, please explain.
Here is a brief article to give you an idea of what I mean regarding the spring form behavior. Regarding this article, it appears that setting the defaultHtmlEscape to false globally in the web.xml only overrides the default value of HtmlEscapeTag, which appears to only work for spring tags. Thus I don't think the solution can be applied to thymeleaf.
I would appreciate any direction here.
Escaping of output text is done automatically if you use th:text. In rare cases, you can use th:utext if you want to use unescaped text, but you have to be aware of the security implications. See Process thymeleaf variable as html code and not text for some more info.
I ended up getting an answer on the GitHub discussions for the Thymeleaf project here, which I will summarize and clarify:
HTML escaping is built into Thymeleaf form elements by default.
This is evidenced by th:input processor source code. Note the use of getDisplayString which performs html output escaping via org.springframework.web.util.HtmlUtils
I went through and manually checked all the uses of getDisplayString where htmlEscape is false and can verify that in these cases, the output is HTML escaped before displaying (in the case of SpringErrorTagProcessor and SpringUErrorsTagProcessor), they don't output any content to escape (SpringSelectedValueComparator returns a boolean), or the expression is a bound object (SPELVariableExpressionEvaluator).
See GitHub issue thymeleaf/thymeleaf-docs#84 for information regarding the docs being updated accordingly.
Using spring form, we display an input like this:
<%# taglib uri="http://www.springframework.org/tags/form" prefix="form"%>
...
<form:input type="text" cssClass="w50" path="lastName" cssErrorClass="w50 error" placeholder="${msgLastName}" />
Sometimes, the users lastname value may content single quote, eg "Job's". This probkem is that we clean the lastname with the OWASP HTML Project, which causes the lastname to be
Job's
When the input is displayed into the browser, the ascii value is also displayed - whici is bad. I would like to display simply "Job's" into the input.
I tested with a simple JSP input, eg.
<input type="text" cssClass="w50" value="${myobject.lastName}" cssErrorClass="w50 error" placeholder="${msgLastName}" />
In this case, the rendering is fine.
My conclusion is that the problem comes from spring, but how to avoid it?
Finally found the answer.
Spring HTML-escapes the values, it doesn't really output
Job's
but
Job's
As there is an HTML character, it isn't parsed as ascii.
Using Chrome, if I inspect the DOM I cannot see the
&
but if I "edit as HTML" then I see it.
I am facing an issue that is really hard to debug. I have a JSP page that has some form elements on it that submit to a Struts2 action. I also have a XML form validation file to perform some validation on the submitted fields. The file has the naming convention 'actionName-validation.xml'
This works fine, but when I add a drop down box, outside of the form, the validation now fails. Instead it redirects to a blank page and my breakpoint in my action class is not hit.
Is there a way to turn on some kind of debugging or logging for the validation? Why would adding a tag outside of a form cause this to happen?
Here is the code on the JSP page:
<s:select id="dataSource" name="selectedDataSource" theme="simple" listValue="top"
headerKey="" headerValue="Choose Data" list="dataSources" size="1" />
<div id="forms">
<s:form method="post" action="MyAction" theme="simple">
<p>
<label class="input" for="name"
<span style="color:red;">*</span>
<span>Name</span><br>
<s:textfield theme="simple" name="name" maxlength="11" size="11" />
<br>
<s:fielderror theme="plain"><s:param value="'name'" /</s:fielderror></label>
</p>
<s:submit value="Create New" theme="simple" cssStyle="display: block; clear: left;"/>
</s:form>
</div>
If I remove the <s:select> tag, it works.
Any help would be greatly appreciated it.
EDIT2: I found the problem. I needed a get method for the list that is used to populate the select drop down inside the action that the form submits to.
I had one for the action that initially is called for the page, but when the validation fails and it re-loads that page from the form action class, it tries to re-populate the select drop down and needs a getter there. I feel silly for not finding that sooner. Would be nice if there were some type of logging or messaging of these types of issues.
thanks.
The error you are encountering is not a validation error (handled by the Validation Interceptor), but an error occurred when setting the parameters (raised by the Parameters Interceptor) and for which the Conversion Error Interceptor added a fieldError, which you are not seeing because
your INPUT result lands on a blank page and
you are using theme="simple" on the textfield, which forces you to add <s:fielderror fieldName="dataSource" /> to show it (or <s:fielderror /> to show them all).
Read how the INPUT result works, set your page as the INPUT page, print the errors, then you will discover the problem, that is most likely related to the fact that you've not specified a listKey attribute in your select, that is sending the description instead of the code of the datasource to selectedDataSource, which is probably an Integer.
I found the problem. I needed a get method for the list that is used to populate the select drop down inside the action that the form submits to.
I had one for the action that initially is called for the page, but when the validation fails and it re-loads that page from the form action class, it tries to re-populate the select drop down and needs a getter there. I feel silly for not finding that sooner. Would be nice if there were some type of logging or messaging of these types of issues.
I am changing some code from a home grown MVC to Spring 2.5 MVC. We have a form to edit an object, so I am using formBackingObject() in my controller to populate the form fields with the current values. In the old MVC, we used the JSTL fmt taglib to format date and money fields. This was nice because the formatting was in the presentation layer.
Now with Spring, the fields are populated correctly with formBackingObject(), but Spring doesn't recognize the the value attribute in the form:input element:
<%# taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %>
<form:form method="post" commandName="editProgramCommand" name="editTitleForm">
<fmt:formatNumber type="NUMBER" value="${program.price}" var="formattedPrice" minFractionDigits="2" />
<form:input path="price" id="price" value="${formattedPrice}" />
... other fields
</form:form>
Thoughts on how to properly format values in a Spring form? I'm not finding much on the web, so I figure its either a really simple syntax error, or I'm completely on the wrong track.
Spring form:input recognize the value of the input from its path attribute and not from the value attribute. If you see the spring form tld, there is no attribute value for the form input tag.
One way which i think is format the values in the back end and bring and set it in the front end.
Otherwise you can use the conventional spring:bind instead of spring form. Spring Bind Reference
What's the proper way to create a hyperlink in Spring+JSP? There must be a better way than just coding in the <a href="..."> tag. Take for example a page that displays people. The URL is people.htm. The corresponding controller gets people from the database and performs optional column sorting. The JSP might look like:
<table>
<tr>
<td>Name</td>
<td>Age</td>
<td>Address</td>
</tr>
...
This seems bad as the URL people.htm is hardcoded in the JSP. There should be a way to have Spring automatically build the <a> tag using the URL defined in servlet.xml.
Edit: Maybe I should be using a Spring form.
The only thing that comes to mind is the JSTL standard tag <c:url>. For example:
<c:url var="thisURL" value="homer.jsp">
<c:param name="iq" value="${homer.iq}"/>
<c:param name="checkAgainst" value="marge simpson"/>
</c:url>
Next
Now this won't get you servlet mapping or the like but nothing will. It's not something you could really do programmatically (after all, a servlet can and usually does map to a range of URLs). But this will take care of escaping for you.
I haven't seen this kind of functionality in pure spring (although grails offers things like that).
For your specific case you might consider removing the file part and only using the query string as the href attribute:
<td>Name</td>
<td>Age</td>
<td>Address</td>
These links append the query string to the path component of the current url.
In Spring MVC in jsp:
You can use:
General Hyperlink:
Click Here
If passing from controller:
Click Here
Jsp tags
<c:url var="URL" value="login">
<c:param name="param" value="${parameter}"/>
</c:url>
Click Here
Hope it Helps.. :)
Better way to create link is:
Name
<%=request.getContextPath() %> makes sure that correct URI will be taken into account.
"sort" parameter you can get over with hidden field and change a value with a little bit of javascript:
<input type="hidden" name="sort" id="sort" value="name">
And controller method should look like this:
#RequestMapping("/people")
public String createUser(String sort) {
...
}
Import this package in your jsp file
<%# taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
when you want to redirect new page or url then use for eg.
<a href='<c:url value="url of next page" />'>Home</a>