Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4888

HTML escaping on the text tag

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.5.13
    • Fix Version/s: 2.5.14
    • Component/s: Core Tags
    • Labels:
      None

      Description

      Assuming an i18n bundle with the following entry:

      sample.message=This is a dumb smiley <:‑|
      

      The following tag produces a value that is properly escaped for HTML:

      <s:property value="%{getText('sample.message')}"/>
      

      However, the text tag does not escape the "<" character and cannot be safely used in HTML:

      <s:text name="sample.message"/>
      

      The text tag documentation (http://struts.apache.org/tag-developers/text-tag.html) neither states HTML escaping is performed nor warns it is not.

      In the FAQ, the "How to escape special chars in resource bundles" article (https://struts.apache.org/docs/how-to-escape-special-chars-in-resource-bundles.html) describes how to escape special characters of the MessageFormat syntax but does not mention HTML escaping.

      I assume HTML escaping on the text tag cannot be added now without breaking backward compatibility, but maybe an "escapeHtml" attribute could be added (as with the property tag)?

        Attachments

        1. text-vs-property.png
          19 kB
          Pierre-Yves Soblet

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                pys Pierre-Yves Soblet
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: