Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

HTML encoding/escaping with StringTemplate and Spring MVC

DZone's Guide to

HTML encoding/escaping with StringTemplate and Spring MVC

· Java Zone
Free Resource

Managing a MongoDB deployment? Take a load off and live migrate to MongoDB Atlas, the official automated service, with little to no downtime.

Last week my colleague T.C. and I had to work out how to HTML encode the values entered by the user when redisplaying those onto the page to prevent a cross site scripting attack on the website.

I wrote a blog post a couple of years ago describing how to do this in ASP.NET MVC and the general idea is that we need to have a custom renderer which HTML encodes any strings that pass through it.

In our case this means that we needed to write a custom renderer for String Template and hook that into Spring MVC.

We already had a view class StringTemplateView so we needed to add to that class and add our custom renderer.

The viewResolver was defined like so:

    @Bean
public ViewResolver viewResolver() {
InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
viewResolver.setPrefix("/WEB-INF/templates/");
viewResolver.setViewClass(StringTemplateView.class);
viewResolver.setSuffix(".st");
return viewResolver;
}

 

And after some guidance from Jim we changed StringTemplateView to look like this:

public class StringTemplateView extends InternalResourceView {

@Override
protected void renderMergedOutputModel(Map<String, Object> model, HttpServletRequest request, HttpServletResponse response) throws Exception {
String templateRootDir = format("%s/WEB-INF/templates", getServletContext().getRealPath("/"));

StringTemplateGroup group = new StringTemplateGroup("view", templateRootDir);
StringTemplate template = group.getInstanceOf(getBeanName());

AttributeRenderer htmlEncodedRenderer = new HtmlEncodedRenderer();
template.registerRenderer(String.class, htmlEncodedRenderer);

...
}

private class HtmlEncodedRenderer implements AttributeRenderer {
@Override
public String toString(Object o) {
return HtmlUtils.htmlEscape(o.toString());
}

@Override
public String toString(Object o, String formatName) {
return HtmlUtils.htmlEscape(o.toString());
}
}
}

 

At the moment we want to HTML encode everything that we render through StringTemplate but if that changes then we could make use of the formatName parameter which we’re currently ignoring.

In retrospect this looks pretty simple to do but my Googling skills were pretty much failing me at the time so I thought it’d be good to document.


From http://www.markhneedham.com/blog/2011/04/09/html-encodingescaping-with-stringtemplate-and-spring-mvc

MongoDB Atlas is the easiest way to run the fastest-growing database for modern applications — no installation, setup, or configuration required. Easily live migrate an existing workload or start with 512MB of storage for free.

Topics:

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}