MessageFormat.format issue

Hi,

I have an application that uses MessageFormat.format. This works well in most cases except when I try to enter things like <script> or <image>. It doesn't treat these as texts but runs it!

For example, entering <image> will result in a spot for the image. If you specify the image source, then it displays the image.

Any ways to get around this?

Thanks!

Hi,

Welcome to JavaRanch!

MessageFormat.format() can't, of course, display anything, as it just returns a String or StringBuffer. What matters is what you do with that returned object. If it looks like HTML, and you're displaying in something that knows how to display HTML, then of course you're going to get rendered HTML. Tell us what you're doing with the results from calling format().

The code is in a jsp:

<%= MessageFormat.format(ECMessageHelper.doubleTheApostrophy(follettText.getString("isbnNotFound")),new Object[]{request.getParameter("isbn")}) %>

where ECMessageHelper.doubleTheApostrophy(follettText.getString("isbnNotFound")) = The ISBN - "{0}" could not be found. Please check to ensure you have entered the number correctly.

and request.getParameter("isbn") = <image>

I see this on the result page with a image placeholder between the quotes.
The ISBN - "" could not be found. Please check to ensure you have entered the number correctly.

I guess what you're saying is that <image> will get interpreted by the browser as will <script> and any valid tags.

Originally posted by Al Kho:
I guess what you're saying is that <image> will get interpreted by the browser as will <script> and any valid tags.

Yes, so you need to convert "<" into "<" in the parameter values before sending them to format(); you could just use String.replaceAll() to do this. You might want to replace "&" and ">" characters too, for good measure.