Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4888

HTML escaping on the text tag

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.5.13
    • 2.5.14
    • Core Tags
    • None

    Description

      Assuming an i18n bundle with the following entry:

      sample.message=This is a dumb smiley <:‑|

      The following tag produces a value that is properly escaped for HTML:

      <s:property value="%{getText('sample.message')}"/>

      However, the text tag does not escape the "<" character and cannot be safely used in HTML:

      <s:text name="sample.message"/>

      The text tag documentation (http://struts.apache.org/tag-developers/text-tag.html) neither states HTML escaping is performed nor warns it is not.

      In the FAQ, the "How to escape special chars in resource bundles" article (https://struts.apache.org/docs/how-to-escape-special-chars-in-resource-bundles.html) describes how to escape special characters of the MessageFormat syntax but does not mention HTML escaping.

      I assume HTML escaping on the text tag cannot be added now without breaking backward compatibility, but maybe an "escapeHtml" attribute could be added (as with the property tag)?

      Attachments

        1. text-vs-property.png
          19 kB
          Pierre-Yves Soblet

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            pys Pierre-Yves Soblet
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment