struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4888) HTML escaping on the text tag
Date Thu, 09 Nov 2017 17:19:00 GMT 

    [ https://issues.apache.org/jira/browse/WW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16246087#comment-16246087
] 

Hudson commented on WW-4888:
----------------------------

SUCCESS: Integrated in Jenkins build Struts-master-JDK7 #54 (See [https://builds.apache.org/job/Struts-master-JDK7/54/])
WW-4888 add escaping options to text tag (stefaan.dutry: rev cde63169f0b8717fc29355509f5ac365a843993a)
* (edit) core/src/main/java/org/apache/struts2/views/jsp/TextTag.java
* (edit) core/src/test/java/org/apache/struts2/views/jsp/TextTagTest.java
* (edit) core/src/site/resources/tags/text.html
* (edit) core/src/main/java/org/apache/struts2/components/Text.java
* (edit) core/src/main/java/org/apache/struts2/views/jsp/PropertyTag.java
* (edit) core/src/test/resources/org/apache/struts2/TestAction.properties


> HTML escaping on the text tag
> -----------------------------
>
>                 Key: WW-4888
>                 URL: https://issues.apache.org/jira/browse/WW-4888
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Tags
>    Affects Versions: 2.5.13
>            Reporter: Pierre-Yves Soblet
>             Fix For: 2.5.14
>
>         Attachments: text-vs-property.png
>
>
> Assuming an i18n bundle with the following entry:
> {code}
> sample.message=This is a dumb smiley <:‑|
> {code}
> The following tag produces a value that is properly escaped for HTML:
> {code}
> <s:property value="%{getText('sample.message')}"/>
> {code}
> However, the *text* tag does not escape the "<" character and cannot be safely used
in HTML:
> {code}
> <s:text name="sample.message"/>
> {code}
> The text tag documentation (http://struts.apache.org/tag-developers/text-tag.html) neither
states HTML escaping is performed nor warns it is not.
> In the FAQ, the "How to escape special chars in resource bundles" article (https://struts.apache.org/docs/how-to-escape-special-chars-in-resource-bundles.html)
describes how to escape special characters of the MessageFormat syntax but does not mention
HTML escaping.
> I assume HTML escaping on the text tag cannot be added now without breaking backward
compatibility, but maybe an "escapeHtml" attribute could be added (as with the property tag)?




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
Mime
View raw message