Thursday, 25 October 2012

Critical Update - Generate correctly escaped markup

Prior to the Winter '13 release, text in some Visualforce pages and components might have been generated incorrectly. This markup could contain fragments that should have been escaped (for example, the "<" character generated as &'lt';) but were not. These fragments might be interpreted by the browser as markup rather than as text in the page. This problem has been corrected for all pages with API version 26.0 or later. Your organization might contain pages or components that depend on this incorrect processing. These pages need to be fixed. To fix them, you will generally need to use with the attribute escape="false" to cause the text to be generated unescaped, as it was previously.
If your page contains either:

<apex:outputText value="{!something}"/>, or
A free-standing expression {!something}

And you’re expecting the string returned by the controller for {!something} to be treated as markup, rather than displayed in the page, then this page needs to be changed.

For the first case, you need simply set the escape attribute to false, <apex:outputText value="{!something}" escape="false"/>.

For the second case, you need to modify the expression to be output using <apex:outputText> as with the first case:

<apex:outputText value="{!something}" escape="false"/>

When you have fixed any affected pages, you should activate this Critical Update.

VFP Page



  
  
  



class


global class criticalUpdate {

    public String dummyString
    { 
        get 
        {
            return '

Test

'; } set; } }

No comments:

Post a Comment