2008/1/16, Jeromy Evans <[EMAIL PROTECTED]>:
>
> > You forgot a semicolon. The correct link is:
> > <a href="javascript:alert('1&2>3='+(1&2>3));">Link B</a>
> > And it *is* equivalent.
> >
> > Antonio
> >
> >
> Ah, my bad. Okay, I'm convinced. :-)
>
> On that basis, the anchor tag just needs ?html added to the href
> attribute:
Not this fast Jeromy :-)
There are three solutions for this "bug":
1) add an extra attribute, for encoding or not encoding the string;
2) encoding in html by default;
3) not encoding at all but document it *very well*.
I opened an issue for this:
https://issues.apache.org/struts/browse/WW-2427
Feel free to add comments there.
Antonio
