Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

HTML encoding/escaping with StringTemplate and Spring MVC

DZone's Guide to

HTML encoding/escaping with StringTemplate and Spring MVC

· Java Zone
Free Resource

Build vs Buy a Data Quality Solution: Which is Best for You? Gain insights on a hybrid approach. Download white paper now!

Last week my colleague T.C. and I had to work out how to HTML encode the values entered by the user when redisplaying those onto the page to prevent a cross site scripting attack on the website.

I wrote a blog post a couple of years ago describing how to do this in ASP.NET MVC and the general idea is that we need to have a custom renderer which HTML encodes any strings that pass through it.

In our case this means that we needed to write a custom renderer for String Template and hook that into Spring MVC.

We already had a view class StringTemplateView so we needed to add to that class and add our custom renderer.

The viewResolver was defined like so:

    @Bean
public ViewResolver viewResolver() {
InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
viewResolver.setPrefix("/WEB-INF/templates/");
viewResolver.setViewClass(StringTemplateView.class);
viewResolver.setSuffix(".st");
return viewResolver;
}

 

And after some guidance from Jim we changed StringTemplateView to look like this:

public class StringTemplateView extends InternalResourceView {

@Override
protected void renderMergedOutputModel(Map<String, Object> model, HttpServletRequest request, HttpServletResponse response) throws Exception {
String templateRootDir = format("%s/WEB-INF/templates", getServletContext().getRealPath("/"));

StringTemplateGroup group = new StringTemplateGroup("view", templateRootDir);
StringTemplate template = group.getInstanceOf(getBeanName());

AttributeRenderer htmlEncodedRenderer = new HtmlEncodedRenderer();
template.registerRenderer(String.class, htmlEncodedRenderer);

...
}

private class HtmlEncodedRenderer implements AttributeRenderer {
@Override
public String toString(Object o) {
return HtmlUtils.htmlEscape(o.toString());
}

@Override
public String toString(Object o, String formatName) {
return HtmlUtils.htmlEscape(o.toString());
}
}
}

 

At the moment we want to HTML encode everything that we render through StringTemplate but if that changes then we could make use of the formatName parameter which we’re currently ignoring.

In retrospect this looks pretty simple to do but my Googling skills were pretty much failing me at the time so I thought it’d be good to document.


From http://www.markhneedham.com/blog/2011/04/09/html-encodingescaping-with-stringtemplate-and-spring-mvc

Build vs Buy a Data Quality Solution: Which is Best for You? Maintaining high quality data is essential for operational efficiency, meaningful analytics and good long-term customer relationships. But, when dealing with multiple sources of data, data quality becomes complex, so you need to know when you should build a custom data quality tools effort over canned solutions. Download our whitepaper for more insights into a hybrid approach.

Topics:

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}