#56 Field-level escaping of text values


At least in the HTMLLE, formula output is escaped to make it safe for insertion into HTML. However, this means things like links aren't possible because < and > are converted to &lt; and &gt; respectively.

To address this, add an option on any field, shown in the format dialog, to escape or not escape the field. The default would be to escape it, so backwards-compatibility is maintained.

Here's a quote from a mailing list exchange that covers this:

> > // Fix courtesy of Brendon Price <Brendon.Price@sytec.co.nz>
> > if ("&nbsp;".equals(str))
> > out.print(str);
> > else
> > out.print(StringUtils.newlinesToXHTMLBreaks(StringUtils.escapeHTML(str)));
> >
> > DataVision is indeed modifying the data that gets output. There are a few
> > possible solutions:
> >
> > 1) Stop doing that.
> > 2) Make it a command line flag.
> > 3) Keep doing that.
> >
> > The original idea was to make the output be the same between all layout
> > engines, without having the user worry about escaping data for HTML.

Ok... given this explanation (which seems perfectly valid to me), and given the suggestions made by Jonathan, and given the concern Charles mentioned about not changing the current behavior (which I agree with), I propose the following solution...

What if we add an option to the format menu, maybe a checkbox labeled "Literal Output". When unchecked, DV does what it does today. When checked, we don't touch the value at all and just pass it on through. This leaves the default as it is today, yet gives sers a per-field way to get the different functionality to allow for links, or really anything else that might come up.

This of course changes the report format slightly, since we'd need to add that attribute to the <format> tag, but I think I can live with that, assuming the attribute is optional and not being present equates
to unchecked.


Log in to post a comment.