> Are you suggesting that javascript injection in href be disabled to prevent > XSS attacks?
I'm suggesting that is better that the variable inside <s:a href="%{myVar}> should NOT close the generated <a> because this would make the browser to execute the eventual javascript automatically on the page load... --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]