Forum Discussion

alfozaav's avatar
alfozaav
Helper
2 years ago

Use Message body

Hi everyone!

I'm currently trying to create a custom component, the goal is to display specific messages using a condition.

I have the correct QUERY but I don´t know how to use/render the response.

This is my code:

 

<#assign apiVersion = "2.0" />
<#assign QUERY = "SELECT * FROM messages WHERE tags.text = 'F5 XC'" />
<#assign messageList = rest(apiVersion, "/search?q=" + QUERY?url).data.items />

<section>
    <h1 style="color: red;">Message List Component</h1>

    <#list messageList as messageItem>
        <h2 style="color: green;">${messageItem.subject}</h2>
        <p>${messageItem.body}</p>
    </#list>
</section>

 

This is the result:

I'm getting in the body html tags as strings, so my question is how can I use the response or how can I render the message body properly?

  • Freemarker auto escaping is turned on for your community. This is a great security measure to prevent arbitrary code from executing on your community.

    More details on freemarker auto escape: https://freemarker.apache.org/docs/dgui_misc_autoescaping.html

    The safest option is to work around this by removing the HTML markup from the response, and render the text as plain text. 

    You can also see from that freemarker doc that you can use ?no_esc to prevent escaping on that variable. 

    BE CAREFUL doing that, especially on the message subject. The message body is USUALLY protected by HTML permissions and prevents users from posting unsafe HTML. But it shouldn't be assumed to be fool-proof.

    DO NOT ?no_esc the message subject. The message subject allows arbitrary HTML regardless of HTML permissions in community. Core components escape the subject, but the API does not do this for you, so someone can put javascript in the message subject, and it would execute if you do ?no_esc on it.

    Some characters get double-escaped, such as " appearing as &quote; , so you may want to add some fixes  such as ?replace('&quote;','"') on the message subject so safe characters like that still appear as desired

6 Replies

  • MattV's avatar
    MattV
    Khoros Staff
    2 years ago

    Freemarker auto escaping is turned on for your community. This is a great security measure to prevent arbitrary code from executing on your community.

    More details on freemarker auto escape: https://freemarker.apache.org/docs/dgui_misc_autoescaping.html

    The safest option is to work around this by removing the HTML markup from the response, and render the text as plain text. 

    You can also see from that freemarker doc that you can use ?no_esc to prevent escaping on that variable. 

    BE CAREFUL doing that, especially on the message subject. The message body is USUALLY protected by HTML permissions and prevents users from posting unsafe HTML. But it shouldn't be assumed to be fool-proof.

    DO NOT ?no_esc the message subject. The message subject allows arbitrary HTML regardless of HTML permissions in community. Core components escape the subject, but the API does not do this for you, so someone can put javascript in the message subject, and it would execute if you do ?no_esc on it.

    Some characters get double-escaped, such as " appearing as &quote; , so you may want to add some fixes  such as ?replace('&quote;','"') on the message subject so safe characters like that still appear as desired

  • Hi MattV, thank you for your help!

     

    Is there a way to add existing classes /styles to the message body or message itself? 

  • MattV's avatar
    MattV
    Khoros Staff
    2 years ago

    I'm not sure I understand the question. What exactly are you trying to accomplish?

  • alfozaav's avatar
    alfozaav
    Helper
    2 years ago

    I'm trying to create a component that shows articles/messages from a custom source (we're using LiQL  2.0).

    We're getting the response but we want it to look similar to the image, so my question is:

    Is there a way to grab existing site styles and apply them to the custom component?

    Do I have to do all the styling by my own?

     

  • MattV's avatar
    MattV
    Khoros Staff
    2 years ago

    That looks like it's from the Hermes community activity feed. 

    It's using the renderMessage macro from the macro file theme-lib.message-macros.

    Usage would look something like

    <#include "theme-lib.message-macros.ftl" />
    ...
    <#assign query = "SELECT id, tags, labels, conversation.solved, conversation.last_post_time, conversation.last_post_time_friendly, user_context.read, images, board.id, board.title, board.view_href, teaser, body, post_time_friendly, subject, author.login, author.view_href, author.avatar.profile, author.rank.name, author.rank.color, author.rank.bold, post_time, view_href, kudos.sum(weight), replies.count(*), metrics.views, conversation.solved FROM messages WHERE message.id = '1'" />
    
    <#assign msg = (liql(query).data.items)![] />
    
    <#if msg?has_content>
        <@renderMessage msg />
    </#if>