3 Dec
2012
3 Dec
'12
9:26 a.m.
Basically you need to do pretty much what you did with groovy:
{{velocity}}
#set($test = "**hello**<b>test</b>")
{{html clean="false"}}
<textarea cols="75" rows="2"
name="description">$escapetool.html($test)</textarea>
{{/html}}
{{/velocity}}
Several notes:
* xwiki="false" does not exist and wiki="false" is already the default
in
html macro. See
http://extensions.xwiki.org/xwiki/bin/view/Extension/HTML+Macro.
* see
http://extensions.xwiki.org/xwiki/bin/view/Extension/Velocity+Module#HVeloc…
all the velocity tools
On Mon, Dec 3, 2012 at 8:52 AM, David Delbecq <david.delbecq(a)meteo.be>wrote;wrote:
Hello,
i'd like some informations on how to get xwiki + velocity to render
properly a form containing a prefilled <textarea>. I have tried several way
and, in the end, i ended up using a groovy script, which requires
developper priviledge. All other options i tried had issues. Could someone
tell me if there is a way to get it to work with.
I have a variable X, i want content of X to be html escaped (eg <b>
becomes <g;b>) and output in the final document between <textarea>
</textarea> tags.
So far, i attempted the following
{{velocity}}
#set($test = "**hello**<b>test</b>")
{{html clean="false" xwiki="false"}}
<textarea cols="75" rows="2"
name="description">$test</textarea>
{{/html}}
{{/velocity}}
{{velocity xwiki="false"}}
#set($test2 = "**hello2**<b>test</b>")
{{/velocity}}
{{html clean="false" xwiki="false"}}<textarea cols="75"
rows="2"
name="description">{{/html}}{{velocity
xwiki="false"}}${test2}{{/velocity}}{{html clean="false"
xwiki="false"}}</textarea>{{/html}}
{{velocity xwiki="false"}}
#set($test3 = "**hello3**<b>test</b>")
{{/velocity}}
{{html clean="false" xwiki="false"}}<textarea cols="75"
rows="2"
name="description">{{/html}}{{velocity
xwiki="false"}}${test3}{{/velocity}}{{html clean="false"
xwiki="false"}}</textarea>{{/html}}
{{groovy}}
test4 =
org.apache.commons.lang.StringEscapeUtils.escapeHtml("**hello4**<b>test</b>");
{{/groovy}}
{{velocity xwiki="false"}}{{html clean="false"
xwiki="false"}}<textarea
cols="75" rows="2"
name="description">${test4}</textarea>{{/html}}{{/velocity}}
And got the following renders (html sources)
< textarea cols = "75" rows = "2" name = "description"
--
Thomas Mortagne
**hello**<b>test</b></ textarea
>
< textarea cols = "75" rows = "2" name = "description"
<strong>hello2</strong><b>test</b></ textarea
>
< textarea cols = "75" rows = "2" name = "description"
<strong>hello3</strong><b>test</b></ textarea
>
< textarea cols = "75" rows = "2" name = "description"
**hello4**<b>test</b></ textarea >
As you can
see: option 1 left <b></b> tags as is, which can lead to html
injection vulnerability of my form.
option 2 and 3 replaced ** with <strong> which mean we alter user input :/
option 4 works but requires developper priviledges. :/
David Delbecq
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users