Re: Struts 2.1.8: Do we need to escape messages?
What code are you using to output this message? Is it a s:text? a s:property? Alex Siman a écrit : I just have found that Struts 2.1.8 escapes messages, so instead of message (in browser) like: User with email u...@example.com registered successfully. now I get this one: User with email u...@example.com registered successfully. In first example I used to escape only the inserted parameter "email". I am not against automatic escaping of messages. It's good for security. But I am wonder, how to use expected HTML markup into messages? Maybe you have any another design solution? P.S. The downside of upgrades. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.1.8: Do we need to escape messages?
These tags are: I have written about it in this thread already. Please, read this message: http://www.nabble.com/Re%3A-Struts-2.1.8%3A-Do-we-need-to-escape-messages--p25927098.html dcabasson wrote: > > What code are you using to output this message? Is it a s:text? a > s:property? > > Denis. > > Alex Siman a écrit : >> I just have found that Struts 2.1.8 escapes messages, so instead of >> message >> (in browser) like: >> User with email u...@example.com registered successfully. >> >> now I get this one: >> User with email u...@example.com registered >> successfully. >> >> In first example I used to escape only the inserted parameter "email". >> I am not against automatic escaping of messages. It's good for security. >> But >> I am wonder, how to use expected HTML markup into messages? Maybe you >> have >> any another design solution? >> >> P.S. The downside of upgrades. >> > > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > > > -- View this message in context: http://www.nabble.com/Struts-2.1.8%3A-Do-we-need-to-escape-messages--tp25922882p25937213.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.1.8: Do we need to escape messages?
What code are you using to output this message? Is it a s:text? a s:property? Denis. Alex Siman a écrit : I just have found that Struts 2.1.8 escapes messages, so instead of message (in browser) like: User with email u...@example.com registered successfully. now I get this one: User with email u...@example.com registered successfully. In first example I used to escape only the inserted parameter "email". I am not against automatic escaping of messages. It's good for security. But I am wonder, how to use expected HTML markup into messages? Maybe you have any another design solution? P.S. The downside of upgrades. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.1.8: Do we need to escape messages?
Thanks for hint! I have found the where messages get escaped: Previously I have this variant: Now these tags escape messages by default. Beware, upgraders! I think this note must be included here: http://struts.apache.org/2.1.8/migration-guide.html BTW the above link, and many others in wiki, is broken. Wes Wannemacher wrote: > > I don't remember when it was added, but there is an attribute for > s:property called 'escape' that defaults to 'true' > > http://struts.apache.org/2.x/docs/property.html > > If you set it to false, then you will probably get what you want. > > -Wes > > On Fri, Oct 16, 2009 at 6:05 AM, Alex Siman > wrote: >> >> I just have found that Struts 2.1.8 escapes messages, so instead of >> message >> (in browser) like: >> User with email u...@example.com registered successfully. >> >> now I get this one: >> User with email u...@example.com registered >> successfully. >> >> In first example I used to escape only the inserted parameter "email". >> I am not against automatic escaping of messages. It's good for security. >> But >> I am wonder, how to use expected HTML markup into messages? Maybe you >> have >> any another design solution? >> >> P.S. The downside of upgrades. >> -- >> View this message in context: >> http://www.nabble.com/Struts-2.1.8%3A-Do-we-need-to-escape-messages--tp25922882p25922882.html >> Sent from the Struts - User mailing list archive at Nabble.com. >> > > > > -- > Wes Wannemacher > > Head Engineer, WanTii, Inc. > Need Training? Struts, Spring, Maven, Tomcat... > Ask me for a quote! > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > > > -- View this message in context: http://www.nabble.com/Struts-2.1.8%3A-Do-we-need-to-escape-messages--tp25922882p25927098.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2.1.8: Do we need to escape messages?
I don't remember when it was added, but there is an attribute for s:property called 'escape' that defaults to 'true' http://struts.apache.org/2.x/docs/property.html If you set it to false, then you will probably get what you want. -Wes On Fri, Oct 16, 2009 at 6:05 AM, Alex Siman wrote: > > I just have found that Struts 2.1.8 escapes messages, so instead of message > (in browser) like: > User with email u...@example.com registered successfully. > > now I get this one: > User with email u...@example.com registered > successfully. > > In first example I used to escape only the inserted parameter "email". > I am not against automatic escaping of messages. It's good for security. But > I am wonder, how to use expected HTML markup into messages? Maybe you have > any another design solution? > > P.S. The downside of upgrades. > -- > View this message in context: > http://www.nabble.com/Struts-2.1.8%3A-Do-we-need-to-escape-messages--tp25922882p25922882.html > Sent from the Struts - User mailing list archive at Nabble.com. > -- Wes Wannemacher Head Engineer, WanTii, Inc. Need Training? Struts, Spring, Maven, Tomcat... Ask me for a quote! - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Struts 2.1.8: Do we need to escape messages?
I just have found that Struts 2.1.8 escapes messages, so instead of message (in browser) like: User with email u...@example.com registered successfully. now I get this one: User with email u...@example.com registered successfully. In first example I used to escape only the inserted parameter "email". I am not against automatic escaping of messages. It's good for security. But I am wonder, how to use expected HTML markup into messages? Maybe you have any another design solution? P.S. The downside of upgrades. -- View this message in context: http://www.nabble.com/Struts-2.1.8%3A-Do-we-need-to-escape-messages--tp25922882p25922882.html Sent from the Struts - User mailing list archive at Nabble.com.