fielderror -tag does not escape the error message if param tag is used
----------------------------------------------------------------------
Key: WW-3405
URL: https://issues.apache.org/jira/browse/WW-3405
Project: Struts 2
Issue Type: Bug
Affects Versions: 2.1.8.1
Environment: Windows Vista, Weblogic 10.3.2, Struts 2.1.8.1
Reporter: Petteri Kauko
Noticed this when I wanted to have the field contents as part of the error
message. In this case, the error message I'm using has ${trackingCode} as part
of it and there's a input field in the form named trackingCode. Class
error_text is simple class, that colors the text red.
When using fielderror as follows:
<s:fielderror theme="simple" cssClass="error_text" />
If the field trackingCode contains javascript, the script is just printed on
the page as part of the error message. Also possible HTML -entities in resource
bundle are printed out with the ampersand -> ä is just printed out as it
was in the resource bundle.
When using fielderror like this:
<s:fielderror theme="simple" cssClass="error_text" >
<s:param>trackingCode</s:param>
</s:fielderror>
If the field trackingCode contains javascript, the script is executed on page
load. Also any HTML -entities in resource bundle are not escaped, hence ä
becomes รค on the page.
I think this is an obvious bug, but was unable to find an issue of it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
