I'm guessing you could override the PageElementFactory with a custom
implementation. You could extend PageElementFactoryImpl and override
newExpansionElement. I'm guessing you might wrap Binding.get() to escape
"{{" if the binding type is String.
On 19 Mar 2015 15:36, "Тимур Бухараев" <bukhar...@gmail.com> wrote:
> I use AngularJS and Tapestry 5.3 in my web project.
>
> The problem is next:
> 1. User inputs some data in text field, for example his profile
> description, and post it to server.
> 2. Profile description renders with tapestry variable:
> <div>$description<div>
> 3. if $description contains some text like this "{{
> <script>alert("Hehe!");</script> }}", AngularJS starts interpret this, and
> it is a big security problem.
>
> Tapestry escapes standard html symbols: < replaces with < and so on. So
> if user inputs some html tags, tapestry decorates it and it is great. I
> want replace '{' symbol with {
>
> I found class AbstractMarkupModel in source, which doing this decorating
> work.
>
> The question is: how replace behavior of AbstractMarkupMode.encode to
> support decoration of {{ symbol?
>
