[WW-4888] HTML escaping on the text tag - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.5.13
Fix Version/s: 2.5.14
Component/s: Core Tags
Labels:
None

Description

Assuming an i18n bundle with the following entry:

sample.message=This is a dumb smiley <:‑|

The following tag produces a value that is properly escaped for HTML:

<s:property value="%{getText('sample.message')}"/>

However, the text tag does not escape the "<" character and cannot be safely used in HTML:

<s:text name="sample.message"/>

The text tag documentation (http://struts.apache.org/tag-developers/text-tag.html) neither states HTML escaping is performed nor warns it is not.

In the FAQ, the "How to escape special chars in resource bundles" article (https://struts.apache.org/docs/how-to-escape-special-chars-in-resource-bundles.html) describes how to escape special characters of the MessageFormat syntax but does not mention HTML escaping.

I assume HTML escaping on the text tag cannot be added now without breaking backward compatibility, but maybe an "escapeHtml" attribute could be added (as with the property tag)?

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

text-vs-property.png
02/Nov/17 13:21
19 kB
Pierre-Yves Soblet

Issue Links

links to

GitHub Pull Request #181

Activity

People

Assignee:: Unassigned

Reporter:: Pierre-Yves Soblet

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 02/Nov/17 13:20

Updated:: 28/Nov/17 07:24

Resolved:: 09/Nov/17 17:04