Details
Description
Noticed this when I wanted to have the field contents as part of the error message. In this case, the error message I'm using has ${trackingCode} as part of it and there's a input field in the form named trackingCode. Class error_text is simple class, that colors the text red.
When using fielderror as follows:
<s:fielderror theme="simple" cssClass="error_text" />
If the field trackingCode contains javascript, the script is just printed on the page as part of the error message. Also possible HTML -entities in resource bundle are printed out with the ampersand -> ä is just printed out as it was in the resource bundle.
When using fielderror like this:
<s:fielderror theme="simple" cssClass="error_text" >
<s:param>trackingCode</s:param>
</s:fielderror>
If the field trackingCode contains javascript, the script is executed on page load. Also any HTML -entities in resource bundle are not escaped, hence ä becomes รค on the page.
I think this is an obvious bug, but was unable to find an issue of it.