org.apache.struts.taglib.html.ErrorsTag should filter arguments for html display
--------------------------------------------------------------------------------
Key: STR-3092
URL: https://issues.apache.org/struts/browse/STR-3092
Project: Struts 1
Issue Type: Improvement
Components: Taglibs
Environment: not sure about this field
Reporter: Juan Duran
Priority: Minor
Unlike bean:write, html:errors doesn't filter for html the arguments that may
go along the message.
In my opinion, those arguments should be filtered for html by default as this
is the purpose of the ErrorsTag (to display in html).
Sometimes we may want to include the user input in the error message after some
validation. For example, say I want to validate that a nameserver is a valid
registered nameserver. I would take the user input , run the validation
service and would like my error message to be declared in the resources file as:
error.invalid.dns={0} is not a registered nameserver
if the user wants to screw my display, then he may enter something like
"seehowthislooks<hr>" The html element doesn't get filtered out.
I believe ErrorsTag should make use of TagUtils.filter(value) in the
doStartTag method (which is used by org.apache.struts.taglib.bean.WriteTag).
that would take care of this issue.
workaround
----------------
Of course, we could do the filter before creating the error (ActionMessage),
but it would be nice to have this feature just as it happens with bean:write
Thanks!
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
