Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-3405

fielderror -tag does not escape the error message if param tag is used

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.1.8.1
    • Fix Version/s: 2.2.1
    • Component/s: None
    • Environment:

      Windows Vista, Weblogic 10.3.2, Struts 2.1.8.1

      Description

      Noticed this when I wanted to have the field contents as part of the error message. In this case, the error message I'm using has ${trackingCode} as part of it and there's a input field in the form named trackingCode. Class error_text is simple class, that colors the text red.

      When using fielderror as follows:
      <s:fielderror theme="simple" cssClass="error_text" />
      If the field trackingCode contains javascript, the script is just printed on the page as part of the error message. Also possible HTML -entities in resource bundle are printed out with the ampersand -> ä is just printed out as it was in the resource bundle.

      When using fielderror like this:
      <s:fielderror theme="simple" cssClass="error_text" >
      <s:param>trackingCode</s:param>
      </s:fielderror>
      If the field trackingCode contains javascript, the script is executed on page load. Also any HTML -entities in resource bundle are not escaped, hence ä becomes รค on the page.

      I think this is an obvious bug, but was unable to find an issue of it.

        Attachments

          Activity

            People

            • Assignee:
              lukaszlenart Lukasz Lenart
              Reporter:
              petterikauko Petteri Kauko
            • Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: