struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pierre-Yves Soblet (JIRA)" <j...@apache.org>
Subject [jira] [Created] (WW-4888) HTML escaping on the text tag
Date Thu, 02 Nov 2017 13:21:00 GMT
Pierre-Yves Soblet created WW-4888:
--------------------------------------

             Summary: HTML escaping on the text tag
                 Key: WW-4888
                 URL: https://issues.apache.org/jira/browse/WW-4888
             Project: Struts 2
          Issue Type: Improvement
          Components: Core Tags
    Affects Versions: 2.5.13
            Reporter: Pierre-Yves Soblet
            Priority: Normal


Assuming an i18n bundle with the following entry:

{code}
sample.message=This is a dumb smiley <:‑|
{code}

The following tag produces a value that is properly escaped for HTML:

{code}
<s:property value="%{getText('sample.message')}"/>
{code}


However, the *text* tag does not escape the "<" character and cannot be safely used in
HTML:

{code}
<s:text name="sample.message"/>
{code}


The text tag documentation (http://struts.apache.org/tag-developers/text-tag.html) neither
states HTML escaping is performed nor warns it is not.

In the FAQ, the "How to escape special chars in resource bundles" article (https://struts.apache.org/docs/how-to-escape-special-chars-in-resource-bundles.html)
describes how to escape special characters of the MessageFormat syntax but does not mention
HTML escaping.

I assume HTML escaping on the text tag cannot be added now without breaking backward compatibility,
but maybe an "escapeHtml" attribute could be added (as with the property tag)? 




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message