Thursday, June 23, 2011

Portal Rich Text editor

If your portlet is extended from FacesPortlet then you can easily place a rich text editor in the jsp page through jsf/rte tag library.

Sample code :
<h:form styleClass="form" id="form1>
    <h:panelGrid styleClass="panelGrid" id="grid1">
        <hx:commandExButton type="submit" value="Submit" styleClass="commandExButton" id="button1"></hx:commandExButton>
        <r:inputRichText width="702" height="352" id="richTextEditor1" value="#{pc_TextEditorView.richText}"></r:inputRichText>
    </h:panelGrid>
</h:form>

If you just want to display the RTE submitted text in an JSF output tag then all the extra RTE characters are also displayed. Like - &lt;span style="font-weight: bold;"&gt;Name : Mike&lt;/span&gt;&lt;br style="font-weight: bold;"&gt;

So u need to set the "escape" attribute of the h:outputText command controls whether HTML characters are "escaped" (turned into text) or sent to the browser as HTML characters. To pass the HTML through instead of escaping it, set "escape='false'" on the outputText tag. After setting the value for “escape=false”, you will get value in HTML format like. Ex- <span style="font-weight: bold;">Name : Mike</span><br style="font-weight: bold;">
The output text includes the HTML tags instead of using them to format the text.

This is because of Portal server has a "cross site scripting" protection setting that is ON by default. This protection escapes all HTML being passed in request parameters. Since RTE uses HTML, it also gets escaped and the result is what you see.

Portal server Administrator can turn it off, via parameter
security.css.protection in ConfigService.properties
Or we can manually unescapeHtml, while request is summited -
org.apache.commons.lang.StringEscapeUtils.unescapeHtml(richTextEscapedHtml);


Note -
1)Make sure you have classloader set to PARENT_LAST for your portlet.
Side note:

2)Use the escape attribute with extreme care. If someone somehow got javascript into the text:
code
<script type="text/javascript">alert("i can do anything now");</script>
This would be executed by the browser when rendered. You need to make sure the text being rendered with escape="false" is safe text.

No comments:

Post a Comment