I'm trying to understand cases where the critical update currently in Winter '13 orgs might come into play. The description of the update says:

Prior to the Winter ’13 release, text in some Visualforce pages and components might have been generated incorrectly. This markup could contain fragments that should have been escaped (for example, the "<" character generated as "<") but were not. These fragments might be interpreted by the browser as markup rather than as text in the page. This problem has been corrected for all pages with API version 26.0 or later.

I don't have the update activated and I've been playing around with it to see what cases might render the markup instead of escaping it. Here's my simple page (version 19.0):

<apex:page controller="HtmlEscapeController">
  <apex:outputText value="{!text}"/>
</apex:page>

and here is my controller (also version 19.0):

public class HtmlEscapeController {

    public String text { 
        get {
            return '<h1>blah</h1>';
        }
        set; }
}

Based on the update description I was expecting the text to be rendered with the html tags, but it wasn't. I had to add escape="false". So, my question is, in what situations does the markeup not get escaped?

Attribution to: Daniel Hoechst

Possible Suggestion/Solution #1

There are only a few situations where the markup wasn't getting escaped properly earlier. As you can see from your test, the down the middle test worked before and after.

Here is a test case for when the markup wasn't getting escaped and it should have:

[Apex Class] MyController

global class MyController { 
    public String getProperty() {
        return  '<h1> escape me </h1>';
    }
}

[Visualforce Page] MyPage

<apex:page controller="MyController" showheader="false"> 
  <script />
  <apex:outputText escape="true" value="{!property}"/> 
</apex:page>

Attribution to: Ryan Guest

Possible Suggestion/Solution #2

Check what api version your visualforce page is on. If it's 26 it will always behave in the new fashion. If it's less than 26 it should behave the old way until you've activated the critical update.

Attribution to: Ralph Callaway

Possible Suggestion/Solution #3

I think I found the answer for this buried on page 197 of the Winter13 release notes:

Changes to Escaping Behavior

Prior to the Winter ’13 release, text in some Visualforce pages and components might have been generated incorrectly. This markup could contain fragments that should have been escaped (for example, the "<" character generated as "<") but were not. These fragments might be interpreted by the browser as markup rather than as text in the page. This problem has been corrected for all pages with API version 26.0 or later.

Your organization might contain pages or components that depend on this incorrect processing. These pages need to be fixed. To fix them, use with the attribute escape="false" to generate unescaped text.

For existing organizations, the Critical Updates page shows a pending change. When you have corrected any pages or components that depend on the incorrect behavior, activate the change on the Critical Updates page. You must make this change by the date indicated on the Critical Updates page. See “Critical Updates Overview” in the online help for details about managing critical updates.

If your organization contains pages or components with the problem installed from managed packages, you might need to contact the package’s supplier to obtain a newer, corrected, version.

Attribution to: ca_peterson
This content is remixed from stackoverflow or stackexchange. Please visit https://salesforce.stackexchange.com/questions/3431