Hello!
I got a wired situation.
I'm creating plugin with web-panel and passing custom parameters to velocity template. In this parameters I got some html code.
So, the problem is: if I name my variable html then velocity renders my code as normal html. But if I name my variable, say, test then velocity escapes my html code and renders raw html.
Does someone encounter such a problem? I've read about <tt>ReferenceInsertionEventHandler</tt>, but I have't found it in Jira's source.
I don't mind to name my variable html, but I need several ones :-/
Thanks in advance
Community moderators have prevented the ability to post new answers.
Found in license-admin.vm file:
## Because these message may embed html tags that we don't want to be overescaped #set($successMessageWithHtml = $successMessage)
Excellent -- appending WithHtml to a variable name does indeed prevent escaping. Thank you so much!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Damian. Today I learnt something from the interwebs.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
this is really impossible to know that one should append WithHtml to variable name.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
That is answers are for - you can find it here ;)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
In fact this is also documented:
https://developer.atlassian.com/display/CONFDEV/Anti-XSS+documentation
https://developer.atlassian.com/display/CONFDEV/Enabling+XSS+Protection+in+Plugins
(just hard to find... ;-)
Cheers,
-Stefan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Actually you only need to append "Html" to the method name, the rest of the name is up to you.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Did you try marking your getters @HtmlSafe? That works in Confluence anyway...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Nope, it does't work - or, may be I can't find correct place for it.
I decided to make it via ajax call.
Thanks for reply, anyway!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It doesn't work for me either. I tried annotating my actions method with all these @HtmlSafe annotations: com.atlassian.velocity.htmlsafe.HtmlSafe, com.atlassian.confluence.velocity.htmlsafe.HtmlSafe, com.atlassian.templaterenderer.annotations.HtmlSafe.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Just tested it in Confluence 5.3.1, whether it works seems to depend on the way you reference your property from within Velocity:
@HtmlSafe public String getScratch() { return scratch; }
unescaped output: $action.getScratch()
unescaped output: $action.Scratch
escaped output: $Scratch
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I've found a way to use @HtmlSafe.
public static class Unescaper { private static Unescaper singleton = new Unescaper(); /** * Just returns the {@code text} parameter. Because this method is annotated with {@code @HtmlSafe} the returned * value will not be escaped when it is inserted into the rendered template. * * @param text Text that we don't want escaped * @return {@code text} unmodified */ @HtmlSafe public String html(Object text) { return text.toString(); } public static Unescaper getSingleton() { return singleton; } }
Add instance of this static class to context:
paramsBuilder.add("unescaper", Unescaper.getSingleton());
And then you can use it in a velocity template like this:
$unescaper.html($some_variable)
If you, as me, encounter errors from maven, heres copy/paste solution to insert to pom.xml:
<dependency> <groupId>com.atlassian.velocity.htmlsafe</groupId> <artifactId>velocity-htmlsafe</artifactId> <version>1.1.beta1</version> <scope>provided</scope> <!-- Working around http://jira.codehaus.org/browse/MNG-2742 - depends on version range [1.5,1.7) --> <exclusions> <exclusion> <groupId>org.apache.velocity</groupId> <artifactId>velocity</artifactId> </exclusion> </exclusions> </dependency>
Hope, it will help someone.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Community moderators have prevented the ability to post new answers.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.