|
I use '@SafeHtml' on PsersonDto like this:
[PersonDto.java]
...
@NotBlank
@SafeHtml(whitelistType = WhiteListType.NONE)
private String firstName;
And validate this on Spring Controller like this:
[RegistrationController.java]
...
@RequestMapping(value = "/registrationUser", method = RequestMethod.POST)
public String registrationUser(@Valid PersonDto personDto,
BindingResult result) {
logger.debug("registrationUser");
logger.debug("personDto: {}", personDto);
if (result.hasErrors()) {
for (ObjectError error : result.getAllErrors()) {
logger.error("error: {}", error.getDefaultMessage());
}
return formViewName;
} else { personManager.registrationPerson(personDto); return completedViewName; }
}
...
When I test, <script>, <b> tag is not allowed. (result.hasErrors() is true)
But, <td>, <tr> is allowed. (result.hasErrors() is false)
When I use 'NONE' option, whitelist should allows only text nodes.
Is this hibernate validator's bug or Spring framework's bug?
|
