Hmm... interesting problem. I'm not sure it's a good idea to provide a
custom MarkupModel class (even if it's somehow possible to do without
modifying Tapestry source), because the MarkupModel is really tied to
the document type, and you are not really generating a custom document
type. Instead, I think you just need to modify user input as it is
submitted. You could do that on a per-form-field basis by changing
user-submitted values with a simple String.replace in an
onValidateFrom... method in your page or component class. Or, if you
want the behavior to apply across all forms in your application, you
could write a Tapestry HttpServletRequestFilter that looks at all
submitted data and potentially modifies it. You could adapt this
example from Mike Gentry to suit your purposes:
https://gist.github.com/mrg/8943683
On Thu, Mar 19, 2015 at 11:33 AM, Тимур Бухараев <bukhar...@gmail.com> wrote:
> I use AngularJS and Tapestry 5.3 in my web project.
>
> The problem is next:
> 1. User inputs some data in text field, for example his profile
> description, and post it to server.
> 2. Profile description renders with tapestry variable:
> <div>$description<div>
> 3. if $description contains some text like this "{{
> <script>alert("Hehe!");</script> }}", AngularJS starts interpret this, and
> it is a big security problem.
>
> Tapestry escapes standard html symbols: < replaces with < and so on. So
> if user inputs some html tags, tapestry decorates it and it is great. I
> want replace '{' symbol with {
>
> I found class AbstractMarkupModel in source, which doing this decorating
> work.
>
> The question is: how replace behavior of AbstractMarkupMode.encode to
> support decoration of {{ symbol?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
