+ Start a Discussion

When does security interfere with outputText escape="false" ??

I have a VF page with the following line

    <apex:outputText value="{!idea.body}" escape="false" />


On my sandbox, the tags are not escaped and I get formatted text as I would expect.  However, the same code on production results in output like this:

    <strong>bold</strong><br />
    <em>ital</em><br />
    <u>underline</u><br />
    <strike>strike</strike><br />


I can see that in the database the idea body content is stored identically in the sandbox and production.  So the problem occurs during the display part of the process.


Oddly enough this problem is not plaguing me on some pages.  I haven't figured out the difference yet though.  I will keep looking.


If anyone has a good guess to spur my thoughts, please post it!



Found it.  The problem was not coding but configuration.


In app settings/Ideas/Settings, there is a checkbox with the label: "Enable Text-Formatting, Images and Links."


Checking that box means that subsequent ideas are saved with the isHtml flag set and then the display works as I would like.


Now why before I checked that box it still worked on some pages is a mystery I no longer care to solve.


Incidentally, this is another one of those boxes that once you check it, you can't go back.  I hope Salesforce comes up with a more robust design down the road as I could see hypothetically wanting to go back on this if we later find security problems biting us.  This other place I saw it in ideas is whether to allow just one or multiple category assignment.  That change also could break code.