[2.1 Scala] Output string as html

1,795 views
Skip to first unread message

Michael Larsson

unread,
Apr 25, 2013, 3:23:42 AM4/25/13
to play-fr...@googlegroups.com
Hi.
Do I have to do something to a text with Html tags when I call it in the view? All my tags are viewable, and I get the texts from a DB.
Thanks

Lukáš Šembera

unread,
Apr 25, 2013, 5:24:25 AM4/25/13
to play-fr...@googlegroups.com


--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Michael Larsson

unread,
Apr 26, 2013, 8:51:08 AM4/26/13
to play-fr...@googlegroups.com
Yes I tried but doesn't work :)

Lukáš Šembera

unread,
Apr 26, 2013, 11:12:39 AM4/26/13
to play-fr...@googlegroups.com
And what does it do? Try to take a look at the HTML output. Are the HTML entities quoted?

Michael Larsson

unread,
Apr 27, 2013, 2:31:03 AM4/27/13
to play-fr...@googlegroups.com
Hi Lukas.

I get the data from a MongoDB and the output looks like this:

@event.information.map(info => if(info.desc.nonEmpty)
                <div class="row-fluid">
                    <div class="span12 eventDesc">
                        <p>{info.desc}</p>
                    </div>
                </div>
                else "")

However, the <br> tags shows up as text

Guillaume Bort

unread,
Apr 27, 2013, 2:01:08 PM4/27/13
to play-fr...@googlegroups.com

Why are you using scala Xml literals here? You should use the Play template system for everything and use @Html(...) if you want that Play considers your data as safe Html. However,  take care, by doing this you are likely to introduce an XSS vulnerability to your system.

--

Michael Larsson

unread,
Apr 27, 2013, 2:34:27 PM4/27/13
to play-fr...@googlegroups.com
Ok I didn't know. Basically I just want to write the divs if there is a description. This script is in the html page. Am I doing wrong here?

Byron Weber Becker

unread,
Apr 28, 2013, 7:18:34 PM4/28/13
to play-fr...@googlegroups.com


On Saturday, April 27, 2013 2:01:08 PM UTC-4, Guillaume Bort wrote:

Why are you using scala Xml literals here? You should use the Play template system for everything and use @Html(...) if you want that Play considers your data as safe Html. However,  take care, by doing this you are likely to introduce an XSS vulnerability to your system.


Guillaume, can you expand on this?  http://www.playframework.com/documentation/2.1.1/ScalaTemplates presents the advantages only in terms of workflow, not security.  Personally, I haven't found a workflow advantage.  I appreciate being able to use the features of the Scala IDE while editing view code and simply find it easier to work in straight-up Scala.  

If there is a security difference between writing

@(customer: Customer, orders: List[Order])
 
<h1>Welcome @customer.name!</h1>

<ul> 
@for(order <- orders) {
  <li>@order.getTitle()</li>
} 
</ul>

and

def listOrders(customer: Customer, orders: List[Order]):NodeSeq={
  <h1>Welcome { customer.name }!</h1>

  <ul>
  { for(order <- orders) yield { <li>{order.getTitle()}</li> }}
  </ul>
}

I'll need to re-evaluate my practise.

Thanks!

 

Guillaume Bort

unread,
Apr 29, 2013, 4:08:42 AM4/29/13
to play-fr...@googlegroups.com

On Mon, Apr 29, 2013 at 1:18 AM, Byron Weber Becker <bwbe...@uwaterloo.ca> wrote:
If there is a security difference between writing

No, it is fine. The Scala XML literal (XML) escape automatically any dynamic value, so it prevents any XSS vulnerability.


--
Guillaume Bort, http://guillaume.bort.fr
Reply all
Reply to author
Forward
0 new messages