Forum Discussion

Helper

2 years ago

Use Message body

Hi everyone! I'm currently trying to create a custom component, the goal is to display specific messages using a condition. I have the correct QUERY but I don´t know how to use/render the response....

MattV
2 years ago
Freemarker auto escaping is turned on for your community. This is a great security measure to prevent arbitrary code from executing on your community.

More details on freemarker auto escape: https://freemarker.apache.org/docs/dgui_misc_autoescaping.html

The safest option is to work around this by removing the HTML markup from the response, and render the text as plain text.

You can also see from that freemarker doc that you can use ?no_esc to prevent escaping on that variable.

BE CAREFUL doing that, especially on the message subject. The message body is USUALLY protected by HTML permissions and prevents users from posting unsafe HTML. But it shouldn't be assumed to be fool-proof.

DO NOT ?no_esc the message subject. The message subject allows arbitrary HTML regardless of HTML permissions in community. Core components escape the subject, but the API does not do this for you, so someone can put javascript in the message subject, and it would execute if you do ?no_esc on it.

Some characters get double-escaped, such as " appearing as &quote; , so you may want to add some fixes such as ?replace('&quote;','"') on the message subject so safe characters like that still appear as desired

MattV

Khoros Staff

2 years ago

Freemarker auto escaping is turned on for your community. This is a great security measure to prevent arbitrary code from executing on your community.

More details on freemarker auto escape: https://freemarker.apache.org/docs/dgui_misc_autoescaping.html

The safest option is to work around this by removing the HTML markup from the response, and render the text as plain text.

You can also see from that freemarker doc that you can use ?no_esc to prevent escaping on that variable.

BE CAREFUL doing that, especially on the message subject. The message body is USUALLY protected by HTML permissions and prevents users from posting unsafe HTML. But it shouldn't be assumed to be fool-proof.

DO NOT ?no_esc the message subject. The message subject allows arbitrary HTML regardless of HTML permissions in community. Core components escape the subject, but the API does not do this for you, so someone can put javascript in the message subject, and it would execute if you do ?no_esc on it.

Some characters get double-escaped, such as " appearing as &quote; , so you may want to add some fixes such as ?replace('&quote;','"') on the message subject so safe characters like that still appear as desired

Forum Discussion

Use Message body

Related Content

Re: Send a Broadcast Message

Messages and Categories

Re: Review private messages reported as inappropriate

Add Message body to KudosMessagePage

Aurora: Send messages to event attendees

Recent Discussions

Google Tag Manager and Google Analytics Setup in Aurora platform

Error while fetching products data using graphql query

Using LiQL or SQL on Aurora instead of GraphQL?

Not receiving user email addresses from search endpoint

Dynamic Values in custom fields into Aurora