Escaping Output to Mitigate XSS - spring form tag htmlEscape equivalent? #877
-
I'm currently working on a project to migrate jsp files to thymeleaf. I'm aware that the spring form tag has an htmlEscape attribute that will escape user input when rendering, such as when the user submits an invalid form and the user input is rendered bound to the form. Is there a standard way to achieve this same functionality in thymeleaf? Is XSS protection built into thymeleaf? To clarify, I'm looking for output-escaping here, which is something that happens on the server side when processing a template to render. Here is a brief article to give you an idea of what I mean regarding the spring behavior. I've also asked this over on Stack Overflow |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
Hey there, so HTML escaping is built into Thymeleaf by default, and you usually have to go out of your way to turn it off (eg: use specific attribute processors that are made for leaving text unescaped). I can't seem to find much mention of this in the docs though, with the closest thing being this section in the general Thymeleaf tutorial about how to emit unescaped text: https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#more-on-texts-and-variables Just to double check, I looked the code for the At line 111 it gets the object to work on from the Spring backing bean, and that |
Beta Was this translation helpful? Give feedback.
Hey there, so HTML escaping is built into Thymeleaf by default, and you usually have to go out of your way to turn it off (eg: use specific attribute processors that are made for leaving text unescaped). I can't seem to find much mention of this in the docs though, with the closest thing being this section in the general Thymeleaf tutorial about how to emit unescaped text: https://www.thymeleaf.org/doc/tutorials/3.0/usingthymeleaf.html#more-on-texts-and-variables
Just to double check, I looked the code for the
th:input="text"
processor in thethymeleaf-spring
project, which is this file here: https://github.com/thymeleaf/thymeleaf-spring/blob/3.1-master/thymeleaf-spring5/src/main/java/org…