struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Petteri Kauko (JIRA)" <j...@apache.org>
Subject [jira] Created: (WW-3405) fielderror -tag does not escape the error message if param tag is used
Date Wed, 10 Mar 2010 13:25:27 GMT
fielderror -tag does not escape the error message if param tag is used
----------------------------------------------------------------------

                 Key: WW-3405
                 URL: https://issues.apache.org/jira/browse/WW-3405
             Project: Struts 2
          Issue Type: Bug
    Affects Versions: 2.1.8.1
         Environment: Windows Vista, Weblogic 10.3.2, Struts 2.1.8.1
            Reporter: Petteri Kauko


Noticed this when I wanted to have the field contents as part of the error message. In this
case, the error message I'm using has ${trackingCode} as part of it and there's a input field
in the form named trackingCode. Class error_text is simple class, that colors the text red.

When using fielderror as follows:
<s:fielderror theme="simple" cssClass="error_text" />
If the field trackingCode contains javascript, the script is just printed on the page as part
of the error message. Also possible HTML -entities in resource bundle are printed out with
the ampersand -> &auml; is just printed out as it was in the resource bundle.

When using fielderror like this:
<s:fielderror theme="simple" cssClass="error_text" >
     <s:param>trackingCode</s:param>
</s:fielderror>
If the field trackingCode contains javascript, the script is executed on page load. Also any
HTML -entities in resource bundle are not escaped, hence &auml; becomes รค on the page.

I think this is an obvious bug, but was unable to find an issue of it.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message