Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to prevent velocity escape html

grundic
grundic
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 7, 2011

Hello!

I got a wired situation.

I'm creating plugin with web-panel and passing custom parameters to velocity template. In this parameters I got some html code.

So, the problem is: if I name my variable html then velocity renders my code as normal html. But if I name my variable, say, test then velocity escapes my html code and renders raw html.

Does someone encounter such a problem? I've read about <tt>ReferenceInsertionEventHandler</tt>, but I have't found it in Jira's source.

I don't mind to name my variable html, but I need several ones :-/

Thanks in advance

Watch
Like # people like this
10035 views

4 answers

1 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

19 votes
Answer accepted
Damian Nowak
Damian Nowak March 27, 2012

Found in license-admin.vm file:

## Because these message may embed html tags that we don't want to be overescaped

#set($successMessageWithHtml = $successMessage)

View More Comments
Charles Duffy
Charles Duffy
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 22, 2012

Excellent -- appending WithHtml to a variable name does indeed prevent escaping. Thank you so much!

Like
David at David Simpson Apps
David at David Simpson Apps
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
June 20, 2012

Thanks Damian. Today I learnt something from the interwebs.

Like
Reply
1 vote
Muhammad Ali
Muhammad Ali June 4, 2012

this is really impossible to know that one should append WithHtml to variable name.

View More Comments
grundic
grundic
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 4, 2012

That is answers are for - you can find it here ;)

Like
Stefan Kleineikenscheidt _K15t_
Stefan Kleineikenscheidt _K15t_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 20, 2012

In fact this is also documented:

https://developer.atlassian.com/display/CONFDEV/Anti-XSS+documentation
https://developer.atlassian.com/display/CONFDEV/Enabling+XSS+Protection+in+Plugins

(just hard to find... ;-)

Cheers,
-Stefan

Like # people like this
Andrew S
Andrew S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 11, 2014

Actually you only need to append "Html" to the method name, the rest of the name is up to you.

Like Sascha Novakovic likes this
Reply
1 vote
NielsJ
NielsJ
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 11, 2011

Did you try marking your getters @HtmlSafe? That works in Confluence anyway...

View More Comments
grundic
grundic
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 18, 2011

Nope, it does't work - or, may be I can't find correct place for it.

I decided to make it via ajax call.

Thanks for reply, anyway!

Like
Damian Nowak
Damian Nowak March 27, 2012

It doesn't work for me either. I tried annotating my actions method with all these @HtmlSafe annotations: com.atlassian.velocity.htmlsafe.HtmlSafe, com.atlassian.confluence.velocity.htmlsafe.HtmlSafe, com.atlassian.templaterenderer.annotations.HtmlSafe.

Like
D. Brutscher
D. Brutscher
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 21, 2013

Just tested it in Confluence 5.3.1, whether it works seems to depend on the way you reference your property from within Velocity:

@HtmlSafe
public String getScratch() {
    return scratch;
}

unescaped output: $action.getScratch()
unescaped output: $action.Scratch
escaped output: $Scratch

Like
Reply
0 votes
grundic
grundic
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 26, 2011

I've found a way to use @HtmlSafe.

public static class Unescaper {

    private static Unescaper singleton = new Unescaper();

    /**
     * Just returns the {@code text} parameter.  Because this method is annotated with {@code @HtmlSafe} the returned
     * value will not be escaped when it is inserted into the rendered template.
     *
     * @param text Text that we don't want escaped
     * @return {@code text} unmodified
     */
    @HtmlSafe
    public String html(Object text)
    {
      return text.toString();
    }

    public static Unescaper getSingleton()
    {
      return singleton;
    }

  }

Add instance of this static class to context:

paramsBuilder.add("unescaper", Unescaper.getSingleton());

And then you can use it in a velocity template like this:

$unescaper.html($some_variable)

If you, as me, encounter errors from maven, heres copy/paste solution to insert to pom.xml:

        <dependency>
            <groupId>com.atlassian.velocity.htmlsafe</groupId>
            <artifactId>velocity-htmlsafe</artifactId>
            <version>1.1.beta1</version>
            <scope>provided</scope>
            <!-- Working around http://jira.codehaus.org/browse/MNG-2742 - depends on version range [1.5,1.7) -->
            <exclusions>
                <exclusion>
                    <groupId>org.apache.velocity</groupId>
                    <artifactId>velocity</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

Hope, it will help someone.

Reply

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

Atlassian logo
Answers Developer Questions
TAGS
AUG Leaders

Atlassian Community Events

    See all events