I'm just getting into using #Template and #XTemmplate within my code.
I'm always concerned about user originated content vs trusted content.
This is the sample from GWT SafeHtml
public interface MyTemplates extends SafeHtmlTemplates {
#Template("<span class=\"{3}\">{0}: {2}</span>")
SafeHtml messageWithLink(SafeHtml message, String url, String linkText,
String style);
}
This is the sample from the GXT XTemplate doc
public interface SampleXTemplates extends XTemplates {
#XTemplate("<div>Hello, {name}!</div>")
SafeHtml hello(String name);
}
In either, is there a way in the template to declare a display field to be sanitized or trusted?
Something ala HtmlSanitizer
All String values rendered in an XTemplate/SafeHtmlTemplates are automatically sanitized - try passing in <, >, or & characters. This is true whether they are passed in to an attribute or the space between tags. If GWT cannot enure the safety of such a string (such as passing it into the href attribute of the a tag, or into a style attribute), it will emit a warning. Your first example is likely to get such a warning.
SafeHtml instances can be passed in to declare 'I know that this string is safe'. Typically, you create those using SafeHtmlUtils, a SafeHtmlBuilder instance, or another template of some kind.
Safe urls can be SafeUri instances - create them with UriUtils. This will get around the possible warning in your first example.
Safe styles can be SafeStyles instances - create them using SafeStylesBuilder instances or static methods in the SafeStylesUtils class.
And finally, as an implementation detail, XTemplates are generated by parsing out the logic and the named parameters and getters, and turned into SafeHtmlTemplates before generated into JavaScript. This ensures that anything that SafeHtmlTemplates will make safe will also be safe in XTemplates.
Related
We're migrating our application from GXT 3 to GXT 4 (and also from GWT 2.5 to 2.8.2) and one of the things that changed is that lot of components' body/text/heading/etc. now have two separate setters. One accepts String param and the other one accepts SafeHtml.
Here's an example:
public void setToolTip(SafeHtml html) {
...
}
public void setToolTip(String text) {
...
}
The difference in those is that the method accepting String does not render html elements. The other one, however, does, which is perfectly fine if one uses Java code to build UI.
Unfortunately, we do have a lot of our UI built using GWT's XML method and I would like it to stay this way.
The problem is that I cannot figure out how to show e.g. a tooltip with SafeHtml body. When I try to do that I get compilation errors.
This is what I put in my XML file:
...
<form:TextArea ui:field="testField" toolTip="{messages.testMesssage}" >
...
And this is the error:
[ERROR] java.lang.String required, but {testMess.test} returns com.google.gwt.safehtml.shared.SafeHtml: <form:TextArea toolTip='{messages.testMesssage}' ui:field='testField'> (:184)
Thanks!
You may want to look at the GXT examples for tooltips in UiBinder. In there, it shows using the ToolTipConfig instead of trying to set "tooltip" directly.
<ui:with type="com.sencha.gxt.widget.core.client.tips.ToolTipConfig"
field="toolTipConfig">
<ui:attributes title="Information" body="Prints the current document" />
</ui:with>
...
<form:TextArea ui:field="testField" toolTipConfig="{toolTipConfig}" />
Simple problem but can't find a solution: I have a Thymeleaf form used to add a new object, say of a Book class. It works perfectly well and I only need that particular form for adding new objects, not editing the existing ones. The question is: how can I put several objects of the Book class in the same single form? So, purely for convenience, instead of filling form for a single book and clicking Send you can fill form for several books at once and only then click Send, have them all inserted into the database (in whatever order) and also have the option to fill the form partially (e.g. the form has room for 5 books but it will also accept 1, 2, 3 or 4 and you can leave the rest blank).
Edit: I've tried passing a list of object to the Thymeleaf template with the form bound to the whole list and iteration inside, but Thymeleaf throws BingingResultError upon rendering it.
You need to use a wrapper object to realize what you want.
Something like:
public class BooksCreationDto {
private List<Book> books;
// default and parameterized constructor
public void addBook(Book book) {
this.books.add(book);
}
// getter and setter
}
Then you need to pass this object as a model attribute in your controller:
BooksCreationDto booksForm = new BooksCreationDto();
model.addAttribute("form", booksForm);
bind fields using index property
th:field="*{books[__${itemStat.index}__].title}"
and get back the result with
#ModelAttribute BooksCreationDto form
in your controller.
For a complete and detailled explaination visit: https://www.baeldung.com/thymeleaf-list
I am using DynamicJasper to generate reports from some tables at run time. I have some fields that the data has been styled using basic html tags as the data was created. Very basic tags like bold and italic, and jasper reports can handle them by setting the markup attribute of the textElement to html. The problem is a can not find a way to change it using DynamicJasper.
I have tried using addFieldProperty("markup", "html") found in ColumnBuilder, but that adds markup as a property to the field markup (probably obvious that it should do that based on the name) instead of the text elemennt.
How to you change the markup value for a text element using DynamicJasper?
The DynamicJasper API does not contain methods to set markup.
But you can use JasperReports API for this needs.
For example, the JRBasePrintText class and JRCommonText interface have method for setting markup:
public void setMarkup(java.lang.String markup)
The JRCommonText interface has constant fields:
public static final String MARKUP_NONE = "none";
public static final String MARKUP_STYLED_TEXT = "styled";
public static final String MARKUP_HTML = "html";
public static final String MARKUP_RTF = "rtf";
You can modify DynamicJasper classes for your needs like in this post, for example.
I have the following element created by UiBinder:
#UiField UListElement phones;
With the following markup:
<ul ui:field="phones" class="contact section"></ul>
I had previously been using the method setInnerHtml(String) to set the value. For example:
phones.setInnerHtml("<li><span class='title'>" + title +
"</span><div class='phone'><a href='tel:" + number + "'>" +
number + "</a></div></li>");
I would now like to use SafeHtmlTemplates to reduce the possibility of having XSS (cross-site scripting) problems. Using a SafeHtmlTemplate, I now get back SafeHtml which I would like to stick into my phones element variable. How do I do this? I don't see a method that would take a SafeHtml type variable.
To use SafeHtml you have to stick to GWTs widgets. More specific:
With the introduction of the com.google.gwt.safehtml package, all of the core GWT library's widgets that take String arguments that are interpreted as HTML have been augmented with corresponding methods that take a SafeHtml-typed value. In particular, all widgets that implement the HasHTML (or HasDirectionalHtml) interface also implement the HasSafeHtml (or HasDirectionalSafeHtml, respectively) interface.
If Ui:Binder should generate safe html you have to set the following property in your module xml:
<set-configuration-property name="UiBinder.useSafeHtmlTemplates" value="true" />
When using a <g:LayoutPanel> in UiBinder.ui.xml files, you can specify <g:layer> tags. Some other Google-built widgets have special tags like that as well - <g:tab> even has a sub-tag, <g:header>.
How can I specify these for my own widgets?
The new answer to this question, after some GWT improvements, is at https://stackoverflow.com/a/11785903/439317 . Copied below to avoid moderator deletion (maybe?).
You can use #UiChild to declare special functions in your widgets accessible in UiBinders.
for example,
class MyPanel extends AbsolutePanel {
#UiChild
public void addAt(Widget w, String parameter1, String parameter2) {
....
Then, in your uiBinder, you can say
<custom:MyPanel>
<custom:at parameter1="HI" parameter2="Anything you like!">
<g:AnySingleWidget />
</custom:at>
</custom:MyPanel>
See #UiChild at http://google-web-toolkit.googlecode.com/svn/javadoc/latest/com/google/gwt/uibinder/client/UiChild.html
What you're looking for is a custom element parser for UiBinder. See this issue. Unfortunately it's not supported yet.
You might be interested in this post for some guidance on how to extend the current parser on your own.