Javascript Escape for WebWork's RichTextEditor

I rolled out the news admin interface to the K-Prep site a few weeks ago, and immediately, Claire found a way to break it -- including a single quote (apostrophe) in a news item broke the rendering of the rich text editor control. It turns out that the <ww:richtexteditor/> taglib component doesn't automatically escape the contents of the field, so I had to do it manually.

I fixed it by escaping it in my WebWork action before handing the value off to the JSP: newText.replaceAll("'", "\\\\'"); // yes, it takes that many escapes.

I recently saw a recommendation to use freemarker.template.utility.StringUtil.javaScriptStringEnc(String) to accomplish the same thing (with even more complete transformations). In initial testing, this seems to work just fine, so I'll switch to this utility, since larger minds than mine have already mulled over its implementation.

I still don't comprehend why I should need to do this myself though. The tag knows the exact value of the text, it knows it's going to render it in Javascript snippet, so why do I need to know that. It's a terrible break in the encapsulation. I'm working at too high of a level to have to worry about Javascript injection. I wonder if the FreeMarker tag for the rich text editor does this correctly.


Filed Under: Computers Web-Dev Java