[ https://issues.apache.org/jira/browse/WW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16254067#comment-16254067 ]
ASF subversion and git services commented on WW-4888: ----------------------------------------------------- Commit 5b91cd9f1c940366c1bacd56347aa3939dd1e89c in struts-site's branch refs/heads/master from [~yasser.zamani] [ https://gitbox.apache.org/repos/asf?p=struts-site.git;h=5b91cd9 ] WW-4888 Documents escaping possibilities of text-tag > HTML escaping on the text tag > ----------------------------- > > Key: WW-4888 > URL: https://issues.apache.org/jira/browse/WW-4888 > Project: Struts 2 > Issue Type: Improvement > Components: Core Tags > Affects Versions: 2.5.13 > Reporter: Pierre-Yves Soblet > Fix For: 2.5.14 > > Attachments: text-vs-property.png > > > Assuming an i18n bundle with the following entry: > {code} > sample.message=This is a dumb smiley <:‑| > {code} > The following tag produces a value that is properly escaped for HTML: > {code} > <s:property value="%{getText('sample.message')}"/> > {code} > However, the *text* tag does not escape the "<" character and cannot be > safely used in HTML: > {code} > <s:text name="sample.message"/> > {code} > The text tag documentation > (http://struts.apache.org/tag-developers/text-tag.html) neither states HTML > escaping is performed nor warns it is not. > In the FAQ, the "How to escape special chars in resource bundles" article > (https://struts.apache.org/docs/how-to-escape-special-chars-in-resource-bundles.html) > describes how to escape special characters of the MessageFormat syntax but > does not mention HTML escaping. > I assume HTML escaping on the text tag cannot be added now without breaking > backward compatibility, but maybe an "escapeHtml" attribute could be added > (as with the property tag)? -- This message was sent by Atlassian JIRA (v6.4.14#64029)