102

I'm using Thymeleaf to process html templates, I understood how to append inline strings from my controller, but now I want to append a fragment of HTML code into the page.

For example, lets stay that I have this in my Java application:

String n="<span><i class=\"icon-leaf\"></i>"+str+"</span> <a href=\"\"></a>\n";

final WebContext ctx = new WebContext(request, response, 
                                      servletContext, request.getLocale());
ctx.setVariable("n", n);

What do I need to write in the HTML page so that it would be replaced by the value of the n variable and be processed as HTML code instead of it being encoded as text?

Improve this question

3 Answers 3

Reset to default
169

You can use th:utext attribute that stands for unescaped text (see documentation). Use this with caution and avoid user input in th:utext as it can cause security problems.

<div th:remove="tag" th:utext="${n}"></div>
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Updated link to v3 thymeleaf.org/doc/tutorials/3.0/…
Does this work with Apache FOP as well while rendering a PDF. Because i don't see any change adding utext tag.
I tried this but it literally throws an error for every HTML tag I use saying it needs a closing tag, even when the closing tag is present.
Important thing to note: using utext makes you vulnerable to cross site scripting attacks. An attacker can store malicious html in your n variable that would get executed every time the page is rendered on your user's browser. See owasp.org/index.php/…
21

If you want short-hand syntax you can use following:

[(${variable})]

Escaped short-hand syntax is

[[${variable}]]

but if you change inner square brackets [ with regular ( ones HTML is not escaped.

Example within tags:

<div>
    [(${variable})]
</div>
Improve this answer

Comments

1

Staring with Thymeleaf 3.0 the html friendly tag would be:

<div class="mailbox-read-message" data-th-utext="*{body}">
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.