Use Message body
Hi everyone!
I'm currently trying to create a custom component, the goal is to display specific messages using a condition.
I have the correct QUERY but I don´t know how to use/render the response.
This is my code:
<#assign apiVersion = "2.0" />
<#assign QUERY = "SELECT * FROM messages WHERE tags.text = 'F5 XC'" />
<#assign messageList = rest(apiVersion, "/search?q=" + QUERY?url).data.items />
<section>
<h1 style="color: red;">Message List Component</h1>
<#list messageList as messageItem>
<h2 style="color: green;">${messageItem.subject}</h2>
<p>${messageItem.body}</p>
</#list>
</section>
This is the result:
I'm getting in the body html tags as strings, so my question is how can I use the response or how can I render the message body properly?
Freemarker auto escaping is turned on for your community. This is a great security measure to prevent arbitrary code from executing on your community.
More details on freemarker auto escape: https://freemarker.apache.org/docs/dgui_misc_autoescaping.html
The safest option is to work around this by removing the HTML markup from the response, and render the text as plain text.
You can also see from that freemarker doc that you can use ?no_esc to prevent escaping on that variable.
BE CAREFUL doing that, especially on the message subject. The message body is USUALLY protected by HTML permissions and prevents users from posting unsafe HTML. But it shouldn't be assumed to be fool-proof.
DO NOT ?no_esc the message subject. The message subject allows arbitrary HTML regardless of HTML permissions in community. Core components escape the subject, but the API does not do this for you, so someone can put javascript in the message subject, and it would execute if you do ?no_esc on it.
Some characters get double-escaped, such as " appearing as "e; , so you may want to add some fixes such as ?replace('"e;','"') on the message subject so safe characters like that still appear as desired
