0

I want to add html code inside a context variable to generate a html file composed by some html samples. Here is the code :

        TemplateEngine templateEngine = new TemplateEngine();
        templateEngine.setTemplateResolver(templateResolver);
        Context context = new Context();
        context.setVariable("reportContent", getHtml(documents));
        context.setVariable("reportTitle", "First report");
        System.out.println(context.getVariable("reportContent"));
        // Get the plain HTML with the resolved ${name} variable!
        String html = templateEngine.process("ReportTemplate", context);

The getHtml(documents) function returns basic html code but when it process, it converts the html code so html isn't read as html but as string. I think this isn't so clear so here is an example :

<h2>Any phrase or word</h2>

becomes :

&lt;h2&gt;Any phrase or word&lt;/h2&gt;

I'd like the html to stay exactly the same when using templateEngine.process() I hope it is clear, if you have any question please ask. Any idea?

Axel
  • 165
  • 3
  • 14
  • Possible duplicate: [Process thymeleaf variable as html code and not text](https://stackoverflow.com/questions/23156585/process-thymeleaf-variable-as-html-code-and-not-text). – andrewJames Feb 23 '21 at 15:00
  • Using unescaped HTML (for example, with user-provided input) may make your code vulnerable to XSS attacks. Some [background notes](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html), in case this is relevant to your situation. – andrewJames Feb 23 '21 at 15:01
  • @andrewjames I use this html code to generate PDF reports with flying sauce, do you think there might be security problems from this? – Axel Feb 23 '21 at 15:12
  • I would ask an expert that specific question. Maybe [here](https://security.stackexchange.com/)? But any time you have HTML containing user-provided (and therefore untrusted) data, you do need to consider the risks. I am reminded of the similar SQL injection [scenario](https://xkcd.com/327/). – andrewJames Feb 23 '21 at 16:47

0 Answers0