Many time we know that we need to escape the URL title and need mechanisms in Liferay to escape characters.
So here is the brief of escaping :
So here is the brief of escaping :
Functions :
- HtmlUtil.escape() is for inserting untrusted data into an HTML element
- HtmlUtil.escapeHREF() is for inserting full URLs into the href attribute
- HtmlUtil.escapeURL() is for inserting untrusted data into URL parameter values
- HtmlUtil.escapeAttribute() is for inserting untrusted data into HTML element attribute values
- HtmlUtil.escapeCSS() is for inserting untrusted data into CSS property values
- HtmlUtil.escapeJS() is for inserting untrusted data into JavaScript strings
When to Escape ???
Escaping at the right time is important to make sure that 1) data is not escaped multiple times and 2) data is not changed to a different value before all business logic is done processing.Rule 1 : Don't escape before persisting
There's a few reason why it's generally a bad idea to escape the data before it's persisted.- It increases the size of the data that must be stored
- You may need the original at some point in the future. If the data is escaped already, it'll be very difficult to get back the original.
Rule 2 : Escape at the last minute
Escaping should be done at the last minute. This avoids situations where the data is escaped before all the business logic is done. Practically, this means that most of the escaping should be done in .jsp files and not in .java files.Pattern 1 : LanguageUtil
The values in a Language.properties file may contain HTML elements and they are always safe. So, you should avoidHtmlUtil.escape(LanguageUtil.format(pageContext, "entries-with-tag-x", tagName))
and instead do LanguageUtil.format(pageContext, "entries-with-tag-x", HtmlUtil.escape(tagName))
Posts
