diff options
-rw-r--r-- | documentation/datamodel/datamodel-forms.asciidoc | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/documentation/datamodel/datamodel-forms.asciidoc b/documentation/datamodel/datamodel-forms.asciidoc index 0a040230c6..f34bae1aa2 100644 --- a/documentation/datamodel/datamodel-forms.asciidoc +++ b/documentation/datamodel/datamodel-forms.asciidoc @@ -572,10 +572,16 @@ BinderValidationStatusHandler defaultHandler = binder.getValidationStatusHandler binder.setValidationStatusHandler(status -> { // create an error message on failed bean level validations List<Result<?>> errors = status.getBeanValidationErrors(); + // collect all bean level error messages into a single string, // separating each message with a <br> tag String errorMessage = errors.stream().map(Result::getMessage) - .map(o -> o.get()).collect(Collectors.joining("<br>")); + .map(o -> o.get()) + // sanitize the individual error strings to avoid code injection + // since we are displaying the resulting string as HTML + .map(errorString -> Jsoup.clean(errorString, Whitelist.simpleText())) + .collect(Collectors.joining("<br>")); + // finally, display all bean level validation errors in a single label formStatusLabel.setValue(errorMessage); formStatusLabel.setVisible(!errorMessage.isEmpty()); |