I need an image loaded onto a html img tag using thymeleaf. The problem is, the image itself is obtained from a url which takes in two parameters.
Sample:
<img src="/products/images?categoryId=1&image=1" />
The trouble is, the image parameter is generated dynamically and hence I need to use a thymeleaf expression there. Therefore I tried something like this:
<img th:src="#{'/products/images?categoryId=1&image=' + ${product.id}}" />
But when I run this, I get the following message:
Exception parsing document: template="product-list", line 104 - column 59
Which points to the location where the '&' symbol occurs. Now, I have tried using '& amp;' but then, the url becomes something like
/products/images?categoryId=1&image=1
Obviously, this is not going to work.
So how else do I make a valid link with two parameters using thymeleaf then?
This can easily done by Thymeleaf. Don't concatenate strings and
simply use #{'/products/images'(categoryId=1, image= ${product.id})}
See the documentation.
The way that you escape an ampersand & in any html attribute is &. Actually you should always escape ampersands in all html attributes whether you are using Thymeleaf or not.
See this question for more details and references:
Do I encode ampersands in <a href...>?
Related
My current request URL is domain.com/my-action?p1=1&p2=2 and I want to make an anchor like domain.com/my-action?p1=1&p2=2#anchor
I tried to use <a th:href="#{__${#request.requestURI}__#anchor}">My anchor with full query string</a>
or <a th:href="#{__${#request.queryString}__#anchor}">My anchor with full query string</a>
or without preprocessing expression like <a th:href="${#request.queryString} + '#anchor'">My anchor with full query string</a>
and <a th:href="${#request.requestURI} + '#anchor'">My anchor with full query string</a>
This doesn't work in the two cases:
No problem with the requestURI but the link is without query string parameters (domain.com/my-action#anchor)
with the queryString the template fail on parsing and I have an error in console that say "Access to request parameters is forbbiden in this context. Not some restrictions apply to variable access. For exampledirect access to request parameters is forbbiden in preprocessing and unescaped expressions, in TEXT template mode, in fragment insertion specifications, and in some specific attributes processors."
My search result about this problem returns this issue: https://github.com/thymeleaf/thymeleaf/issues/648 but I don't understand how to fix that.
If someone has an idea about how to make this anchor link as well ;)
EDIT: My application is a spring boot 2.2.2 application with spring-boot-starter-thymeleaf ; thymeleaf-3.0.11.REALEASE ; thymeleaf-expression-processor-1.1.3 and thymeleaf-layout-dialect-2.4.1
When I use url helper to generate url for route with query params and then add that url to link href, validator warns me, that there is unescaped & in attribute:
▲
I tried to search but still I'm not sure who is responsible for escaping that.
Router generates url but that might be used anywhere, not only in html attribute, so it correctly does no escaping in his case.
Url helper does not change anything in that url but it is meand for use in html so it might done here
View template - there url is put inside href attribute, so it might be here too
I couldn't find any clue how to decide this and if fill an issue with zf2 about this.
EDIT: html/php code from paginator
<<
generates html
<<
and from what I found it should be
<<
I would argue that the current behavior (not HTML entity encoding) is correct and it is up to the developer to encode HTML entities, when appropriate.
For instance you may want to use the view helper inside a <script> tag, where the HTML entities would be uncalled for.
Just a query, I have used #Html.Raw(Item.sometext) before and it decodes the html tags correctly, I'm getting some data from remore source which is in json format, but when displayed on the page I found Html.raw did not decodes html tags.
To fix the problem I used:
#Html.Raw(HttpUtility.HtmlDecode(Item.sometext))
So my question is, can anyone please tell me why that could be the case, as I'm curious as to the reason. Im using mvc4 and asp.net 4.5
Thanks
George
Here is my answer in an attempt to explain better what I mean (in the comments).
Your JSON is formatted for example (which you have supplied) like so:
<p><b>Location. <\/b> <br \/>...
However, this is not valid HTML. Notice the escape characters used for the slashes '/'. So if you pass this value to Html.Raw it will (should) output it, but it's not valid HTML so will unlikely display correctly (if it display anything at all).
This escape character issue can be fixed using Html.Decode which will effectively return the following:
<p><b>Location. </b> <br />...
This is valid HTML, and can therefore be passed to Html.Raw without any problems
NOTE: Html.Raw does not do any encoding/decoding, in fact it explicitly instructs that the supplied value should not be encoded as it is already raw HTML. This is confirmed here:
Use the Raw method when the specified text represents an actual HTML
fragment that should not be encoded and that you want to render as
markup to the HTTP response.
What is the best way to sanitize an attribute value in rails? The code looks something like this:
<img alt="<%= h 'untrusted-data' %>" src="image-source-here" />
I am specifically concerned about Rule #2 and Rule #3 given on owasp.net XSS prevention cheat sheet.
Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
Is html_escape method enough for the purpose? For some reason I cant use the tag method provided by TagHelper here. Using Rails 2.3.5 version.
Yes, it's good enough. (with another " though but I guess it's a typo :)
<img alt="<%=h untrusted %>" src="img.png" />
h will prevent untrusted to contain " and replace it by " so that the attacker will be unable to go out of the alt attribute. Moreover, she will also be unable to exploit something by the alt attribute as no parsing is done in it.
For example, it would be different if it was in a a's href attribute, in which case the attacker would have been able to run some javascript code when clicked even without be able to go out of the attribute. (like javascript:alert(/XSSed/);)
I'm using the Gravatar helper class from Microsoft.Web.Helpers like so
<%: Gravatar.GetHtml("me#domain.com", 80, "identicon") %>
which produces in the source
<img src="http://www.gravatar.com/avatar/0ff2e377be7d73b15f0b48022a755717?s=80&d=identicon" alt="gravatar" />
The image URL does work but shouldn't it be &d=identicon and not &d=identicon? It appears to have encoded the ampersand. This is also the same when using Gravatar.GetUrl()
How can I stop it encoding the ampersand without rewriting my own version?
<%:Gravatar.GetHtml("me#domain.com", 80, "identicon") %>
Your telling it to encode the output, ":" is short hand for this. If you do not want to encode the output, do this
<%=Gravatar.GetHtml("me#domain.com", 80, "identicon") %>
As far as I am aware ":" is shorthand for outputting via Html.Encode()
=========Edit
What the Helper is doing is correct, it should be encoding the ampersand, more info at the link below
XHTML and & (Ampersand) encoding
In code (say in the controller action... and not in the *.aspx or *.cshtml markup), when I do this:
var avatarUrl = Gravatar.GetUrl("someone#somewhere.com", defaultImage: "identicon");
This will return the following string:
http://www.gravatar.com/avatar/923d10bc97028030e8e67e7db62658d1?s=80&d=identicon
Note the encoded ampersand (&) where there shouldn't be any encoding. I think this is not working as intended. The reason it matters, is because instead of getting the identicon (or gravatar) that we want, we get the default gravatar logo, which we dont want (the whole point of the identicon fallback). Remember, this was done from the controller, vice the view markup.