When the validation message is given on the webpage though, it doesn't show the proper degree symbol and shows it without encoding it.
It appears that adding special characters to the cshtml may be the best way and the following will show the correct degree symbol in the validation message.
<span asp-validation-for="User" class="text-danger">Error Message with °</span>
Related
The URL of the template is:
http://localhost:8080/login?error=Usu%E1rio%20inexistente%20ou%20senha%20inv%E1lida
where, for example, %E1 is á
I'm trying to display the value of the param error on the page using this code:
but a wrong value with special character is being displayed.
Welcome to SO.
I see two ways you can try:
1) Use the utility for an HttpServletRequest:
<p th:utext="${#httpServletRequest.getParameter('error')}">[error message]</p>
This is getting the value of the error parameter from the request.
2) Use the typical usage for getting the value of a param:
<p th:utext="${param.error}">[error message]</p>
In either case, you can use th:if to check for null. You can use utext to get the unescaped text so that unusual characters display.
Also, check that your character encoding is set to UTF-8. In your config, it would look something like:
resolver.setCharacterEncoding(StandardCharsets.UTF_8.name());
or
resolver.setCharacterEncoding("UTF-8");
Instead of trying to decode the URL, I first encoded the error message where it was generated using URLEncoder.encode(errorMessage). So, the URL changed to http://localhost:8080/login?error=Usuário+inexistente+ou+senha+inválida. Then, I didn't need to decode. I only used th:text="${param.msgError}
I need to display some superscript and subscript characters in my webpage title. I have a helper method that recognizes the pattern for a subscript or superscript, and converts it to &sub2; or ²
However, when it shows up in the rendered page's file, it shows up in the source code as:
&sub2;
Which is not right. I have it set up to be:
<% provide(:title, raw(format_title(#hash[:page_title]))) %>
But the raw is not working. Any help is appreciated.
Method:
def format_title(name)
label = name
if label.match /(_[\d]+_)+|(~[\d]+~)+/
label = label.gsub(/(_([\d]+)_)+/, '&sub\2;')
label = label.gsub(/(~([\d]+)~)+/, '&sup\2;')
label.html_safe
else
name
end
end
I have even tried:
str.gsub(/&/, '&')
but it gives back:
&sub2;
You can also achieve this with Rails I18n.
<%= t(:page_title_html, scope: [:title]) %>
And in your respective locale file. (title.en.yml most probably):
title:
page_title: "Title with ²"
Here is a chart for HTML symbols regarding subscript and superscripts.
For more information check Preventing HTML character entities in locale files from getting munged by Rails3 xss protection
Update:
In case you need to load the page titles dynamically, first, you'll have to install a gem like Page Title Helper.
You can follow the guide in the gem documentation.
There are two of issues with your example, one is of matter and the other is just a coincidence.
The first issue is you are trying to use character entities that do not actually exist. Specifically, there are only ¹, ² and ³ which provide 1, 2 and 3 superscript symbols respectively. There is no such character entity as &sup4; nor any other superscript digits. There are though bare codepoints for other digits which you can use but this would require a more involved code.
More importantly, there are no subscript character entities at all in HTML5 character entities list. All subscript digits are bare codepoints. Therefore it makes no sense to replace anything with &sub2; or any other "subscript" digit.
The reason you didn't see your example working is due to the test string you chose. Supplying anything with underscores, like _2_mystring will be properly replaced with &sub2;. As &sub2; character entity is non-existent, the string will appear as is, creating an impression that raw method somehow doesn't work.
Try to use ~2~mystring and it will be replaced with the superscript character entity ² and will be rendered correctly. This illustrates that your code correct, but the basic assumption about character entities is not.
In my struts2 application I have field named carrierNo that accepts integer, when i put string in it gives me this validation error message:
*Invalid field value for field "carrierNo".*
i can customize this error message in the properties file like this
invalid.fieldvalue.carrierNo=this field does not accept characters
but i don't want to write a customized message for every non String field in my web application, i want to make it general, i tried the following but it did not work
invalid.fieldvalue.%{getText(fieldName)}=this field does not accept characters
if there is no way to make general, please help me disable this message at all.
then i will use converstion field validator with single message that i define in the properties file.
so my request is to help me make this invalid.fieldvalue.carrierNo general something like this form invalid.fieldvalue.%{getText(fieldName)}
or disable the display of this error message Invalid field value for field "carrierNo".
You could create your own implementation of ConversionErrorInterceptor which finds out the class of failed field and gets your custom message.
Edit:
See source code for ConversionErrorInterceptor. For example you could do something like this in your custom interceptor inside intercept method
// get field by name from action
Field f = invocation.getAction().getClass().getDeclaredField(propertyName);
// get type of field
Class clz = f.getType();
String message = LocalizedTextUtil.findDefaultText(XWorkMessages.DEFAULT_INVALID_FIELDVALUE + "." + clz,
invocationContext.getLocale());
And in your messages.properties file put xwork.default.invalid.fieldvalue.int, xwork.default.invalid.fieldvalue.float, etc.
The easiest way to remove conversion messages is to remove the "conversionError" interceptor from your default stack. One problem with removing it, however, is that IIRC it's also responsible for putting the original (non-converted) value back into fields instead of having them replaced by the value of the failed conversion. This can lead to an unpleasant user experience, IMO.
Making a "... does not accept characters" conversion error message doesn't feel right: conversion errors encompass the entire application, and characters may not be the reason for a conversion error.
There's a ton of questions about this particular exception but I couldn't find any that would suit my needs. I don't want to disable validation and neither wouldn't want to manually escape each form input value.
Is there a way to display this error message to the user in the same way as ASP.NET MVC informs the user of not providing a required value in the form? I think this would be the cleanest way to deal with this kind of error.
$("form").submit(function(e){
var invalid = $("form").find("input:text,input:hidden,textarea").filter(function() {
var value = $(this).val();
var encoded = $("<div>").html(value).text();
return value != encoded;
}).length > 0;
if (invalid)
{
e.preventDefault();
//show validation message
}
}
This error is just a safety net in ASP.NET; Microsoft would expect you to disable this error once you've checked you are encoding your text properly.
It's not about manually escaping each input form value. It's about HTML encoding all user-facing text that is rendered to the page. It's just that text that is entered in forms is frequently displayed back to the user.
For example, the string "My age is > 21 & < 90" is not valid HTML and won't appear correctly to the user (this could be abused in a cross-site script attack). If any string you are displaying is not already valid HTML, you have to HTML-encode it. Fortunately in MVC there are plenty of easy ways to do this (using <%: %> operators is one). If you are doing this correctly, then there is no need to have this error enabled.
Sorry I know this isn't the answer you asked for, but I believe keeping this error switched on is just user-unfriendly for many reasons.
In my asp.net mvc page I create a link that renders as followed:
http://localhost:3035/Formula/OverView?colorId=349405&paintCode=744&name=BRILLANT%20SILVER&formulaId=570230
According to the W3C validator, this is not correct and it errors after the first ampersand. It complains about the & not being encoded and the entity &p not recognised etc.
AFAIK the & shouldn't be encoded because it is a separator for the key value pair.
For those who care: I send these pars as querystring and not as "/" seperated values because there is no decent way of passing on optional parameters that I know of.
To put all the bits together:
an anchor (<a>) tag's href attribute needs an encoded value
& encodes to &
to encode an '&' when it is part of your parameter's value, use %26
Wouldn't encoding the ampersand into & make it part of my parameter's value?
I need it to seperate the second variable from the first
Indeed, by encoding my href value, I do get rid of the errors. What I'm wondering now however is what to do if for example my colorId would be "123&456", where the ampersand is part of the value.
Since the separator has to be encoded, what to do with encoded ampersands. Do they need to be encoded twice so to speak?
So to get the url:
www.mySite.com/search?query=123&456&page=1
What should my href value be?
Also, I think I'm about the first person in the world to care about this.. go check the www and count the pages that get their query string validated in the W3C validator..
Entities which are part of the attributes should be encoded, generally. Thus you need & instead of just &
It works even if it doesn't validate because most browsers are very, very, very lenient in what to accept.
In addition, if you are outputting XHTML you have to encode every entity everywhere, not just inside the attributes.
All HTML attributes need to use character entities. You only don't need to change & into & within script blocks.
Whatever
Anywhere in an HTML document that you want an & to display directly next to something other than whitespace, you need to use the character entity &. If it is part of an attribute, the & will work as though it was an &. If the document is XHTML, you need to use character entities everywhere, even if you don't have something immediately next to the &. You can also use other character entities as part of attributes to treat them as though they were the actual characters.
If you want to use an ampersand as part of a URL in a way other than as a separator for parameters, you should use %26.
As an example...
Hello
Would send the user to http://localhost/Hello, with name=Bob and text=you & me "forever".
This is a slightly confusing concept to some people, I've found. When you put & in a HTML page, such as in <a href="abc?def=5&ghi=10">, the URL is actually abc?def=5&ghi=10. The HTML parser converts the entity to an ampersand.
Think of exactly the same as how you need to escape quotes in a string:
// though you define your string like this:
myString = "this is \"something\" you know?"
// the string is ACTUALLY: this is "something" you know?
// when you look at the HTML, you see:
<a href="foo?bar=1&baz=2">
// but the url is ACTUALLY: foo?bar=1&bar=2