How to encode user entered data in the form when played back as an error. The user needs to see what they entered to correct the form entry. example that needs encoding: #$%&'()*!"+,-./:;?@[]^_`{|}~\
] th:utext will correctly show html encoded from the server.
] th:field incorrectly shows the html encoded values. Is there a th:Ufield or some other solution.
business rule: "*non-encoded output could be vulnerable to Cross-Site Scripting which allows an attacker to run scripts inside a victim’s browser.*"
Sample template below.
<form id="ccForm" th:action="@{/saveBankAccount}" th:object="${BankAccountBean}" method="POST">
<div th:if="${error_messageDisplay == 'TRUE'}">
<ul class="errorMessage">
<li th:text="${error_message}">server message goes here</li>
</ul>
</div>
<fieldset>
<div class="box">
<label #{jsp.payment.paymentAccountName}"></label>
<input type="text" th:field="*{paymentAccountName}" th:max="40" />
</div>
. . . . .
</form>