struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pierre-Yves Soblet (JIRA)" <>
Subject [jira] [Created] (WW-4888) HTML escaping on the text tag
Date Thu, 02 Nov 2017 13:21:00 GMT
Pierre-Yves Soblet created WW-4888:

             Summary: HTML escaping on the text tag
                 Key: WW-4888
             Project: Struts 2
          Issue Type: Improvement
          Components: Core Tags
    Affects Versions: 2.5.13
            Reporter: Pierre-Yves Soblet
            Priority: Normal

Assuming an i18n bundle with the following entry:

sample.message=This is a dumb smiley <:‑|

The following tag produces a value that is properly escaped for HTML:

<s:property value="%{getText('sample.message')}"/>

However, the *text* tag does not escape the "<" character and cannot be safely used in

<s:text name="sample.message"/>

The text tag documentation ( neither
states HTML escaping is performed nor warns it is not.

In the FAQ, the "How to escape special chars in resource bundles" article (
describes how to escape special characters of the MessageFormat syntax but does not mention
HTML escaping.

I assume HTML escaping on the text tag cannot be added now without breaking backward compatibility,
but maybe an "escapeHtml" attribute could be added (as with the property tag)? 

This message was sent by Atlassian JIRA

View raw message