Assuming an i18n bundle with the following entry:
sample.message=This is a dumb smiley <:‑|
The following tag produces a value that is properly escaped for HTML:
However, the text tag does not escape the "<" character and cannot be safely used in HTML:
The text tag documentation (http://struts.apache.org/tag-developers/text-tag.html) neither states HTML escaping is performed nor warns it is not.
In the FAQ, the "How to escape special chars in resource bundles" article (https://struts.apache.org/docs/how-to-escape-special-chars-in-resource-bundles.html) describes how to escape special characters of the MessageFormat syntax but does not mention HTML escaping.
I assume HTML escaping on the text tag cannot be added now without breaking backward compatibility, but maybe an "escapeHtml" attribute could be added (as with the property tag)?
- links to