Pierre-Yves Soblet created WW-4888:
--------------------------------------
Summary: HTML escaping on the text tag
Key: WW-4888
URL: https://issues.apache.org/jira/browse/WW-4888
Project: Struts 2
Issue Type: Improvement
Components: Core Tags
Affects Versions: 2.5.13
Reporter: Pierre-Yves Soblet
Priority: Normal
Assuming an i18n bundle with the following entry:
{code}
sample.message=This is a dumb smiley <:‑|
{code}
The following tag produces a value that is properly escaped for HTML:
{code}
<s:property value="%{getText('sample.message')}"/>
{code}
However, the *text* tag does not escape the "<" character and cannot be safely used in
HTML:
{code}
<s:text name="sample.message"/>
{code}
The text tag documentation (http://struts.apache.org/tag-developers/text-tag.html) neither
states HTML escaping is performed nor warns it is not.
In the FAQ, the "How to escape special chars in resource bundles" article (https://struts.apache.org/docs/how-to-escape-special-chars-in-resource-bundles.html)
describes how to escape special characters of the MessageFormat syntax but does not mention
HTML escaping.
I assume HTML escaping on the text tag cannot be added now without breaking backward compatibility,
but maybe an "escapeHtml" attribute could be added (as with the property tag)?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
|