Assuming the following string template, is being given a list of Java Bean objects:
<ul>$people:{p|<li>$p.name$ $p.email</li>}$</ul>
ie the list of people might contain Person objects which you may or may not have the ability to enhance/extend:
class Person {
....
public getName() { ... }
public getEmail() { ... }
}
The getName() and getEmail() methods don't return sanitised (escaped html entities). How do you get around this?
You may use a custom renderer, for example:
public static class HtmlEscapeStringRenderer implements AttributeRenderer {
public String toString(Object o, String s, Locale locale) {
return (String) (s == null ? o : StringEscapeUtils.escapeHtml((String) o));
}
}
Then in the template indicate you want it escaped:
$p.name;format="html"$
That said, you may prefer to scrub the data on input, convert before sending to the template, send a decorated person to the template, etc.
public class App {
public static void main(String[] args) {
STGroupDir group = new STGroupDir("src/main/resource", '$', '$');
group.registerRenderer(String.class, new HtmlEscapeStringRenderer());
ST st = group.getInstanceOf("people");
st.add("people", Arrays.asList(
new Person("<b>Dave</b>", "[email protected]"),
new Person("<b>Nick</b>", "[email protected]")
));
System.out.println(st.render());
}
public static class HtmlEscapeStringRenderer implements AttributeRenderer {
public String toString(Object o, String s, Locale locale) {
return (String) (s == null ? o : StringEscapeUtils.escapeHtml((String) o));
}
}
}
This outputs:
<ul><li><b>Dave</b> [email protected]</li><li><b>Nick</b> [email protected]</li></ul>