在我的示例中有一个带有f:selectItems属性的selectOneMenu.选择项目是从我的bean像这样解析的:
there is a selectOneMenu in my example with a f:selectItems-attribute. The select-items are resolved from my bean like this:
<h:selectOneMenu value="#{bean.value}"> <f:selectItems value="#{bean.selectItems}" var="obj" itemValue="#{obj}" itemLabel="#{obj.name}"/> </h:selectOneMenu>我的bean中的方法getSelectItems()看起来像这样:
The method getSelectItems() in my bean looks like that:
public List<MyObject> getSelectItems() { List<MyObject> list = new LinkedList<MyObject>(); MyObject obj = new MyObject("Peter"); list.add(obj); return list; }显示的对象是具有属性名称"的简单对象.
The objects that are displayed are simple objects with a attribute "name".
到目前为止,没有什么特别的.但是现在我将方法更改为:
Nothing special up to this point. But now i change my method to that:
public List<MyObject> getSelectItems() { List<MyObject> list = new LinkedList<MyObject>(); MyObject obj = new MyObject("<script>alert('xss is bad');</script>"); list.add(obj); return list; }MenuRenderer-Class无法逃脱JavaScript,并且我的页面向我显示警报消息.
The javascript doesn´t get escaped by MenuRenderer-Class and my page shows me the alert-message.
是否有任何原因导致SelectItem的转义属性的默认值为"false"? 我该如何解决这个问题? (我使用Mojarra 2.1.7)
Is there any cause why the default value of the escape-attribute of SelectItem is "false"? How can i fix that problem? (I use Mojarra 2.1.7)
推荐答案默认值实际上不应该是false.我将其报告为问题2747 .
The default should indeed not have been false. I've reported it as issue 2747.
与此同时,添加itemLabelEscaped="true"仍可以对其进行转义.
In the meanwhile, add itemLabelEscaped="true" to escape it anyway.
<f:selectItems ... itemLabelEscaped="true" />请注意,只有在使用GenericObjectSelectItems时,即在提供E[]/List<E>/Map<K, V>而不是List<SelectItem>/SelectItem[]时,才需要这样做.还请注意,转义仅在涉及用户控制的输入时才是绝对强制性的(幸运的是,下拉列表中很少发生这种情况).
Note that this is only necessary when you're using GenericObjectSelectItems, i.e. when you're supplying a E[]/List<E>/Map<K, V> instead of List<SelectItem>/SelectItem[]. Also note that escaping is only absolutely mandatory when it concerns user-controlled input (which is fortunately very rarely the case in dropdown values).
更多推荐
JSF SelectItem和转义(xss)
发布评论