[
https://issues.apache.org/jira/browse/WW-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16254067#comment-16254067
]
ASF subversion and git services commented on WW-4888:
-----------------------------------------------------
Commit 5b91cd9f1c940366c1bacd56347aa3939dd1e89c in struts-site's branch
refs/heads/master from [~yasser.zamani]
[ https://gitbox.apache.org/repos/asf?p=struts-site.git;h=5b91cd9 ]
WW-4888 Documents escaping possibilities of text-tag
> HTML escaping on the text tag
> -----------------------------
>
> Key: WW-4888
> URL: https://issues.apache.org/jira/browse/WW-4888
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Tags
> Affects Versions: 2.5.13
> Reporter: Pierre-Yves Soblet
> Fix For: 2.5.14
>
> Attachments: text-vs-property.png
>
>
> Assuming an i18n bundle with the following entry:
> {code}
> sample.message=This is a dumb smiley <:‑|
> {code}
> The following tag produces a value that is properly escaped for HTML:
> {code}
> <s:property value="%{getText('sample.message')}"/>
> {code}
> However, the *text* tag does not escape the "<" character and cannot be
> safely used in HTML:
> {code}
> <s:text name="sample.message"/>
> {code}
> The text tag documentation
> (http://struts.apache.org/tag-developers/text-tag.html) neither states HTML
> escaping is performed nor warns it is not.
> In the FAQ, the "How to escape special chars in resource bundles" article
> (https://struts.apache.org/docs/how-to-escape-special-chars-in-resource-bundles.html)
> describes how to escape special characters of the MessageFormat syntax but
> does not mention HTML escaping.
> I assume HTML escaping on the text tag cannot be added now without breaking
> backward compatibility, but maybe an "escapeHtml" attribute could be added
> (as with the property tag)?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
