Andy is a software engineer and consultant, currently working for CapTech Ventures in Richmond, VA. His specialties are JavaEE and front-end development, and is an open source and web standard enthusiast. He has over 8 years experience developing web sites and applications, holds several Sun certifications, and blogs at www.andypemberton.com. Andy has posted 4 posts at DZone. You can read more from them at their website. View Full User Profile

JSR286 Tag Library and XML Escaping

12.09.2010
| 3904 views |
  • submit to reddit

It always bothered me that the JSR168 <portlet:actionURL /> and <portlet:renderURL /> tags didn’t encode their HTML character entities. The lack of encoding causes your HTML 4 or XHTML 1 markup to fail automated validation. After flipping through a bit more of the JSR286 spec, it mentions that in JSR168 “the behavior in regards to XML escaping URLs written by the tag library was undefined” 1. So, some vendors may have encoded and some may not have (as of 2.7 JBoss Portal, for example, does not).

Well, it turns out that the JSR286 expert group noticed that and accounted for it. Section 10.4.1 defines a new container runtime option: javax.portlet.escapeXml. The option causes portlet URLs to be escaped and is true by default. This is primarily for backwards compatibility so that older portlets that dependended on unencoded URLs will work on a portlet 2.0 container.

This option and its default value should make validating your portal UI markup much easier, though it might cause one minor annoyance. Because your portlet URLs will now be encoded, you can’t trigger them directly using javascript.

For example, you wouldn’t want to call the following:

<script type="language/javascript">  
var url = '<portlet:renderURL><portlet:param name="id" value="5" /></portlet:renderURL>';
window.location = url;
</script>
<script type="language/javascript">
var url = '<portlet:renderURL><portlet:param name="id" value="5" /></portlet:renderURL>';
window.location = url;
</script>

Because the URL above would be encoded, your ‘id’ parameter wouldn’t be passed along properly.

To avoid this, you’d want to decode the URL before accessing in through javascript. We use ExtJS on my current project, which offers a handy method for doing just that:

<script type="language/javascript">  
var url = '<portlet:renderURL><portlet:param name="id" value="5" /></portlet:renderURL>';
window.location = Ext.util.Format.htmlDecode(url);
</script>
<script type="language/javascript">
var url = '<portlet:renderURL><portlet:param name="id" value="5" /></portlet:renderURL>';
window.location = Ext.util.Format.htmlDecode(url);
</script>

It’s always nice to see this kind of improvement in the spec; hope this is helpful for you!

 

From http://www.andypemberton.com/portal/jsr286-tag-library-and-xml-escaping/

Published at DZone with permission of its author, Andy Pemberton.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)

Tags:

Comments

Jean-Baptiste Nizet replied on Thu, 2010/12/09 - 7:38am

Last time I checked, the <c:url> tag from the JSTL didn't escape html, either. And this is indeed useful when you have to use URLs inside javascript code. To generate valid HTML, I thus use this kind of code :

<c:url var="myUrl" value="someAction">
<c:param name="param1" value="value1"/>
<c:param name="param2" value="value2"/>
</c:url>

<%-- the myUrl variable now contains an unescaped URL --%>

<a href="${fn:escapeXml(myUrl)">The URL of this link is correctly escaped</a>

 

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.