Question

How to show (and not render) HTML code with Microflow Label (SOLVED)

1

Hi, With the microflow label widget (version 1.1) I want to show a piece of HTML code. Currently it renders the HTML. Do you have a suggestion what to do? Regards, Paul

asked 2011-08-24

Paul Poetsma

3 answers

1

I filed a bug report. I hadn't thought of the security impact yet but you are absolutely right Bas.

Now the newbie question: how to create the Java Action? (Assuming that the Java Action is the way to go) I've never done this so could you give a hint? I know how to add a Java Action, but I'm lost on what to specify where.

answered 2011-08-24

Paul Poetsma

0

I suggest filing a bug/ feature request at support.mendix.com

answered 2011-08-24

Michel Weststrate

Sebastiaan van den Broek · Accepted Answer · 2011-08-24

It seems this widget is bugged as it should not render potential user input as HTML either way, especially not without an explicit setting. But you can escape the HTML so it doesn't show the HTML but the text. For example the Apache Commons library has a class for this, org.apache.commons.lang.StringEscapeUtils, so you could do this in a Java action. Simply call StringEscapeUtils.escapeHtml() and you'll get a string back that has the HTML characters escaped. So for example the < will be replaced with < (notice I had to double escape these characters to make them show properly here too)

Edit: I do recommend filing the bug report for this custom widget though, especially if you ever display user input in this widget to other users. It could be unsafe as someone could put javascript in there and have it executed.