HTML content rendering in JSF
Question
I have two fields: input and output. In input i'm writing html code, push on the button and see rendered code in output field.
<h:form id="displayForm">
<p:commandButton value="Execute" actionListener="#{screenController.executeCode}" update="displayForm:output"/>
<h:inputTextarea value="#{screenModel.input}" rows="20" cols="165"/>
<br/>
<h:outputText id="output" value="#{screenModel.output}" escape="false"/>
</h:form>
But, when I'm wrote
<script>
document.write("1")
</script>
All page was rendered. I don't know about java-script absolutely, but I have idea. I can replace document on some code, than rendering will be only on "output" field. How I can do this?
1 answers
solution1
1 ACCPTED 2013-11-15 20:11:12
Print it in a standalone page which you display via an <iframe> .
Regardless of the approach, redisplaying user-controlled input as unescaped HTML opens a gaping XSS attack hole on your server. You'd rather not want the endusers being able to run JavaScript completely out of control on your server. Sanitize all potentially malicious HTML tags and attributes away using some HTML cleaner like Jsoup .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.