Resolution: Won't Fix
Affects Version/s: 1.1.1
Fix Version/s: None
Component/s: Tag Libraries
Unlike bean:write, html:errors doesn't filter for html the arguments that may go along the message.
In my opinion, those arguments should be filtered for html by default as this is the purpose of the ErrorsTag (to display in html).
Sometimes we may want to include the user input in the error message after some validation. For example, say I want to validate that a nameserver is a valid registered nameserver. I would take the user input , run the validation service and would like my error message to be declared in the resources file as:
is not a registered nameserver
if the user wants to screw my display, then he may enter something like "seehowthislooks<hr>" The html element doesn't get filtered out.
I believe ErrorsTag should make use of TagUtils.filter(value) in the doStartTag method (which is used by org.apache.struts.taglib.bean.WriteTag). that would take care of this issue.
Of course, we could do the filter before creating the error (ActionMessage), but it would be nice to have this feature just as it happens with bean:write