Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-3405

fielderror -tag does not escape the error message if param tag is used

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 2.1.8.1
    • 2.2.1
    • None
    • Windows Vista, Weblogic 10.3.2, Struts 2.1.8.1

    Description

      Noticed this when I wanted to have the field contents as part of the error message. In this case, the error message I'm using has ${trackingCode} as part of it and there's a input field in the form named trackingCode. Class error_text is simple class, that colors the text red.

      When using fielderror as follows:
      <s:fielderror theme="simple" cssClass="error_text" />
      If the field trackingCode contains javascript, the script is just printed on the page as part of the error message. Also possible HTML -entities in resource bundle are printed out with the ampersand -> ä is just printed out as it was in the resource bundle.

      When using fielderror like this:
      <s:fielderror theme="simple" cssClass="error_text" >
      <s:param>trackingCode</s:param>
      </s:fielderror>
      If the field trackingCode contains javascript, the script is executed on page load. Also any HTML -entities in resource bundle are not escaped, hence ä becomes รค on the page.

      I think this is an obvious bug, but was unable to find an issue of it.

      Attachments

        Activity

          People

            lukaszlenart Lukasz Lenart
            petterikauko Petteri Kauko
            Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: