wicket should already escape the markup for you. please provide a quickstart where it is not doing it.
-igor On Thu, Nov 25, 2010 at 7:15 AM, Ian Marshall <ianmarshall...@gmail.com> wrote: > > If a user has entered some HTML in a TextField or TextArea<String> when I do > not want HTML to be entered, what is a good way to prevent this? > > Currently, I store the offending strings and then render them using a Label > or MultiLineLabel, but for neither component does > > Component.setEscapeModelStrings(true); > > have an effect (presumably since this setting is already true by default). > > Am I condemned to coding a method to examine the models of my TextField and > TextArea<String> components at form-submission-time and remove any HTML code > manually? > > Any comments would be appreciated, > > Ian > -- > View this message in context: > http://apache-wicket.1842946.n4.nabble.com/Preventing-user-input-script-injection-attacks-tp3059119p3059119.html > Sent from the Users forum mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
