• Post Reply Bookmark Topic Watch Topic
  • New Topic

MessageFormat.format issue  RSS feed

 
Al Kho
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have an application that uses MessageFormat.format. This works well in most cases except when I try to enter things like <script> or <image>. It doesn't treat these as texts but runs it!

For example, entering <image> will result in a spot for the image. If you specify the image source, then it displays the image.

Any ways to get around this?

Thanks!
 
Ernest Friedman-Hill
author and iconoclast
Sheriff
Posts: 24217
38
Chrome Eclipse IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Welcome to JavaRanch!

MessageFormat.format() can't, of course, display anything, as it just returns a String or StringBuffer. What matters is what you do with that returned object. If it looks like HTML, and you're displaying in something that knows how to display HTML, then of course you're going to get rendered HTML. Tell us what you're doing with the results from calling format().
 
Al Kho
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The code is in a jsp:

<%= MessageFormat.format(ECMessageHelper.doubleTheApostrophy(follettText.getString("isbnNotFound")),new Object[]{request.getParameter("isbn")}) %>

where ECMessageHelper.doubleTheApostrophy(follettText.getString("isbnNotFound")) = The ISBN - "{0}" could not be found. Please check to ensure you have entered the number correctly.

and request.getParameter("isbn") = <image>

I see this on the result page with a image placeholder between the quotes.
The ISBN - "" could not be found. Please check to ensure you have entered the number correctly.
 
Al Kho
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I guess what you're saying is that <image> will get interpreted by the browser as will <script> and any valid tags.
 
Ernest Friedman-Hill
author and iconoclast
Sheriff
Posts: 24217
38
Chrome Eclipse IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Al Kho:
I guess what you're saying is that <image> will get interpreted by the browser as will <script> and any valid tags.


Yes, so you need to convert "<" into "<" in the parameter values before sending them to format(); you could just use String.replaceAll() to do this. You might want to replace "&" and ">" characters too, for good measure.
 
Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!