function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
soni rajputsoni rajput 

Problem with <apex:outputText>

Hi,

 

I am developing a appExchange app. In this app i am using a text Editor and for displaying the data on visual force page i am using <apex:outputText escape="false" value="{!description}"/>. I have used escape="false"  because the description may contain images, text in any format and videos.

 

But Escape="False" attribute is giving an XSS Attack as a security error. How can i resolve this ? Any ideas ?

 

 

Thanks,

Soni

bob_buzzardbob_buzzard

The only way that I'm aware of is to use a rich text area field and the <apex:outputField/> tag - this expects HTML markup to be present in the text and thus doesn't escape it.
bvramkumarbvramkumar

I agree with Bob. You can only use outputfield for RTA fields. Also I experienced that having rerendered attribute to the actions causes problems when there is an RTA field bound with outputfield tag in the VF page.
bob_buzzardbob_buzzard

Yep, you can't rerender with a Rich Text Field in the page, you have to refresh the entire page.  I'd imagine this is because the regular HTML text area is turned into a rich text editor via onload javascript.
soni rajputsoni rajput

Hi Bob,

 

I am using TinyMce editor so data in that can be video also and <apex:outputfield> is not displaying it.

 

Thanks,

Soni

 
bob_buzzardbob_buzzard

TinyMCE editor is different to rich text fields - that is just a front end onto regular text area fields.  I'm not aware of any way to override the standard RT editor with TinyMCE (which is a shame, as I think TinyMCE is one of the best js rich text editors).
soni rajputsoni rajput

Hi Bob,

 

The problem is not with TinyMce editor.

I am storing description data in RichText Area field and displaying it through <apex:outputfield>. If Description field has Video and image data then <apex:outputfield> is not displaying it. So how can i display video and image data?

 

Thanks,

Soni
bob_buzzardbob_buzzard

In your initial post you said the problem was that you had to use escape=false - is that still the case or do you have a new issue now?
soni rajputsoni rajput

Hi Bob,

 

Problem is same. Earlier i was using <apex:outputText escape="false"> and after your suggestion i am using <apex:outputfield>. Now the problem is that <Apex:outputField> is not displaying image and video.

 

Thanks,

Soni
asish1989asish1989

HI

Plase go through this Link

http://boards.developerforce.com/t5/Apex-Code-Development/Avoid-Cross-site-Scripting-XSS-using-lt-apex-outputtext-escape/td-p/487587

 

If this post answers your questions please mark it as solved and give kudos for this post

 

Thanks