You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by ah...@apache.org on 2022/10/10 11:18:07 UTC
[isis] branch master updated: ISIS-3240: value-semantics: change default HTML renderer to escape content
This is an automated email from the ASF dual-hosted git repository.
ahuber pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/isis.git
The following commit(s) were added to refs/heads/master by this push:
new c6e9b392de ISIS-3240: value-semantics: change default HTML renderer to escape content
c6e9b392de is described below
commit c6e9b392de073d1050b56d8209b7c3079d58c600
Author: Andi Huber <ah...@apache.org>
AuthorDate: Mon Oct 10 13:17:59 2022 +0200
ISIS-3240: value-semantics: change default HTML renderer to escape
content
- specializations can always override that behavior
---
.../main/java/org/apache/isis/applib/value/semantics/Renderer.java | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/api/applib/src/main/java/org/apache/isis/applib/value/semantics/Renderer.java b/api/applib/src/main/java/org/apache/isis/applib/value/semantics/Renderer.java
index b635c3bfaf..09a02ea84d 100644
--- a/api/applib/src/main/java/org/apache/isis/applib/value/semantics/Renderer.java
+++ b/api/applib/src/main/java/org/apache/isis/applib/value/semantics/Renderer.java
@@ -18,6 +18,8 @@
*/
package org.apache.isis.applib.value.semantics;
+import org.apache.isis.commons.internal.base._Strings;
+
/**
* @since 2.x {@index}
*/
@@ -30,9 +32,12 @@ public interface Renderer<T> {
/**
* The value rendered as HTML.
+ * <p>
+ * Default implementation uses the 'escaped' titlePresentation.
+ * Override for custom HTML, but be aware of potential XSS attack risks.
*/
default String htmlPresentation(final ValueSemanticsProvider.Context context, final T value) {
- return titlePresentation(context, value);
+ return _Strings.htmlEscape(titlePresentation(context, value));
}
public static enum SyntaxHighlighter {