[jira] Commented: (STR-3092) ErrorsTag should filter arguments for html display

Fri, 31 Aug 2007 15:57:56 -0700 

    [ 
https://issues.apache.org/struts/browse/STR-3092?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_42081
 ] 

Paul Benedict commented on STR-3092:
------------------------------------

Juan, thanks for your feedback. The MessageTag was introduced into Struts after 
ErrorTag and is meant to replace it. You can duplicate all the functionality of 
the ErrorTag with it although the implementation is not identical. Do as 
follows:

<logic:messagesPresent>
  <bean:message key="errors.header" />
    <ul class="error">
      <html:messages id="error">
        <li><c:out value="${error}" /></li>
      </html:messages>
    </ul>
    <bean:message key="errors.footer" />
</logic:messagesPresent>

Wrap that in a JSP fragment to include. So as you can see, the MessageTag gives 
you greater flexibility to customize the design and look and feel of the error 
messages. 

Paul

> ErrorsTag should filter arguments for html display
> --------------------------------------------------
>
>                 Key: STR-3092
>                 URL: https://issues.apache.org/struts/browse/STR-3092
>             Project: Struts 1
>          Issue Type: Improvement
>          Components: Taglibs
>    Affects Versions: 1.1.1
>            Reporter: Juan Duran
>            Assignee: Paul Benedict
>            Priority: Minor
>
> Unlike bean:write,  html:errors doesn't filter for html the arguments that 
> may go along the message.
> In my opinion, those arguments should be filtered for html by default as this 
> is the purpose of the ErrorsTag (to display in html).
> Sometimes we may want to include the user input in the error message after 
> some validation.  For example, say I want to validate that a nameserver is a 
> valid registered nameserver.  I would take the user input , run the 
> validation service and would like my error message to be declared in the 
> resources file as:
> error.invalid.dns={0} is not a registered nameserver
> if the user wants to screw my display, then he may enter something like 
> "seehowthislooks<hr>"  The html element doesn't get filtered out.
> I believe ErrorsTag should make use of    TagUtils.filter(value) in the 
> doStartTag method (which is used by org.apache.struts.taglib.bean.WriteTag).  
> that would take care of this issue.
> workaround
> ----------------
> Of course, we could do the filter before creating the error (ActionMessage),  
> but it would be nice to have this feature just as it happens with bean:write
> Thanks!

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to