struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <>
Subject Re: Referencing request parameters in struts tags.
Date Sat, 12 Nov 2016 08:24:48 GMT
2016-11-11 12:23 GMT+01:00 Greg Huber <>:
>> <s:text name="<script>alert('ok')</script>" />
> ....this pops!

In the latest build? Because is see something like this in source page

Test: &lt;script&gt;alert(\'ok\')&lt;\/script&gt;

>> Maybe we should've thought about renaming this tag
> Think we are OK here as it does say what it does, maybe could add more info
> in the hover if we are going to change it.  Currently is says "Render a
> I18n text message"
> ##
> <s:text name="script.test"/>
> script.test=<script type="text/javascript">alert("ok");</script>

I assume you meant that "script.test=<script
type="text/javascript">alert("ok");</script>" is passed a request
parameter? So again are using the latest build because I cannot
confirm this.

> ..but do have html in the file so sometimes
> I want it rendered as html eg <em>Important</em> but any <script></script>
> could be a escaped when its loaded from the file initially?  Its difficult
> to say how far to take this!

To be clear, this won't affect your messages from .properties files,
so if you are using html in there you will get that html on your page,
it won't be escaped. Right now, after disabling searching default
message in ValueStack, even escaping is not needed.

> Think reducing the scope of <s:text> is worth doing, its easy to convert to
> <s:property> and also reduces the duplication / maintenance also.

Yes, but both these tags have different use cases, so I would leave
them just improve.

+ 48 606 323 122

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message