JSF SelectItem和转义(xss)

本文介绍了JSF SelectItem和转义(xss)的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

在我的示例中有一个带有f:selectItems属性的selectOneMenu.选择项目是从我的bean像这样解析的:

there is a selectOneMenu in my example with a f:selectItems-attribute. The select-items are resolved from my bean like this:

<h:selectOneMenu value="#{bean.value}"> <f:selectItems value="#{bean.selectItems}" var="obj" itemValue="#{obj}" itemLabel="#{obj.name}"/> </h:selectOneMenu>

我的bean中的方法getSelectItems()看起来像这样:

The method getSelectItems() in my bean looks like that:

public List<MyObject> getSelectItems() { List<MyObject> list = new LinkedList<MyObject>(); MyObject obj = new MyObject("Peter"); list.add(obj); return list; }

显示的对象是具有属性名称"的简单对象.

The objects that are displayed are simple objects with a attribute "name".

到目前为止，没有什么特别的.但是现在我将方法更改为:

Nothing special up to this point. But now i change my method to that:

public List<MyObject> getSelectItems() { List<MyObject> list = new LinkedList<MyObject>(); MyObject obj = new MyObject("<script>alert('xss is bad');</script>"); list.add(obj); return list; }

MenuRenderer-Class无法逃脱JavaScript，并且我的页面向我显示警报消息.

The javascript doesn´t get escaped by MenuRenderer-Class and my page shows me the alert-message.

是否有任何原因导致SelectItem的转义属性的默认值为"false"? 我该如何解决这个问题? (我使用Mojarra 2.1.7)

Is there any cause why the default value of the escape-attribute of SelectItem is "false"? How can i fix that problem? (I use Mojarra 2.1.7)

推荐答案

默认值实际上不应该是false.我将其报告为问题2747 .

The default should indeed not have been false. I've reported it as issue 2747.

与此同时，添加itemLabelEscaped="true"仍可以对其进行转义.

In the meanwhile, add itemLabelEscaped="true" to escape it anyway.

<f:selectItems ... itemLabelEscaped="true" />

请注意，只有在使用GenericObjectSelectItems时，即在提供E[]/List<E>/Map<K, V>而不是List<SelectItem>/SelectItem[]时，才需要这样做.还请注意，转义仅在涉及用户控制的输入时才是绝对强制性的(幸运的是，下拉列表中很少发生这种情况).

Note that this is only necessary when you're using GenericObjectSelectItems, i.e. when you're supplying a E[]/List<E>/Map<K, V> instead of List<SelectItem>/SelectItem[]. Also note that escaping is only absolutely mandatory when it concerns user-controlled input (which is fortunately very rarely the case in dropdown values).