struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4888) HTML escaping on the text tag
Date Wed, 08 Nov 2017 22:17:00 GMT

    [ https://issues.apache.org/jira/browse/WW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16244838#comment-16244838
] 

ASF GitHub Bot commented on WW-4888:
------------------------------------

sdutry opened a new pull request #181: WW-4888 add escaping possibilities to text-tag
URL: https://github.com/apache/struts/pull/181
 
 
   Added the option of escaping the result of an `<s:text>` tag.
   
   Defaults set to not escaping in order not to break current behavior.
   
   
   possible improvement:
   * now holds duplicate prepare method from the `Property` class

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> HTML escaping on the text tag
> -----------------------------
>
>                 Key: WW-4888
>                 URL: https://issues.apache.org/jira/browse/WW-4888
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Tags
>    Affects Versions: 2.5.13
>            Reporter: Pierre-Yves Soblet
>             Fix For: 2.5.x
>
>         Attachments: text-vs-property.png
>
>
> Assuming an i18n bundle with the following entry:
> {code}
> sample.message=This is a dumb smiley <:‑|
> {code}
> The following tag produces a value that is properly escaped for HTML:
> {code}
> <s:property value="%{getText('sample.message')}"/>
> {code}
> However, the *text* tag does not escape the "<" character and cannot be safely used
in HTML:
> {code}
> <s:text name="sample.message"/>
> {code}
> The text tag documentation (http://struts.apache.org/tag-developers/text-tag.html) neither
states HTML escaping is performed nor warns it is not.
> In the FAQ, the "How to escape special chars in resource bundles" article (https://struts.apache.org/docs/how-to-escape-special-chars-in-resource-bundles.html)
describes how to escape special characters of the MessageFormat syntax but does not mention
HTML escaping.
> I assume HTML escaping on the text tag cannot be added now without breaking backward
compatibility, but maybe an "escapeHtml" attribute could be added (as with the property tag)?




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message