Recipe3.10.Filtering Text Input

Recipe 3.10. Filtering Text Input

Problem

You want to render data containing HTML tags, and you want that data to be interpreted and processed by the browser as HTML markup.

Solution

This is about as simple as it gets:

<bean:write name="myForm" property="freeText" filtered="false"/>

You can allow unfiltered values when using JSTL:

<c:out value="${myForm.freeText}" escapeXml="false"/>

Discussion

When you use the Struts bean:write tag to generate text, by default any special characters sensitive to HTML processing are replaced with their entity equivalents. For example, the greater than character (>) is replaced with the > character entity. This feature is known as response filtering and is enabled by default. In most cases, the filtering is desired, as an unfiltered response can be misinterpreted by the browser. Table 3-4 shows the characters and the corresponding replacement entities that are filtered by the bean:write tag.

Table 3-4. Filtered characters
Character name	Character value	Replacement entity
Less than	`<`	`<`
Less than	`>`	`>`
Ampersand	`&`	`&`
Double quote	"	`"`
Backslash	`\`	`'`

Sometimes, however, you want rendered text to include HTML tags. Suppose you had an online journaling application that allows a user to enter text that will be displayed on a page. Allowing HTML permits the user to use tags that make text appear in bold or italics. The text could contain hyperlinks, different font sizes, and images. In other situations, your application may be retrieving HTML template text from some other source such as another URL, an XML file, a web service, or a database.

By setting the filtered attribute of the bean:write tag to false, you instruct the Struts tag not to replace the special characters with the corresponding entities. First, take a look at how the filtering works. Say a user enters the following text into a form:

Struts <b>rocks</b>!

Now this text is rendered using the bean:write tag. The text with the character entities replacing the special characterswhen the filtered attribute is set to true (the default value)looks like this:

Struts &lt;b&gt;rocks&lt;/b&gt;!

This is most likely not what the user wanted. He wanted it to look something like "Struts rocks!". However, since the intent was to allow the user to enter embellishing HTML tags, then setting the filtered attribute to false yields the correct rendering:

Struts <b>rocks</b>!

The browser will recognize the tags and apply the HTML markup as desired.

This is a useful mechanism when rendering a web page. However, care must be taken when using this approach. If the data are not filtered, then the layout of the rendered HTML can be compromised, and the entire page could appear mangled. For example, suppose the following text was entered:

Struts <b>rocks<b>!

At first glance, this looks fine. However, notice that the forward slash is missing on what should be the closing b (bold) element. This mistake is easily overlooked, and it could make all the text on the rest of the page appear bolded!

Unfortunately, avoiding this error is difficult. The best you can do is to try to ensure that the entered data is valid HTML. One option is to process the data through an XML parser. This will detect problems such as unbalanced tags. Another alternative is to process the data through a parser that will attempt to fix any errors, such as JTidy. Finally, if the data are coming from an uncontrolled source such as a user, you may want to disallow HTML altogether. If you still want the user to be able to enter text enhancements such as bold and italic, and hyperlinks, then you may want to consider using an alternative form of markup such as WikiText or UBB Code.