From: egetchell [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 08, 2008 11:56 AM
> The one thing I noticed is that this escaped
> data is not translated back to the character
> set when fed into an input field.
Perhaps this is an over simplification, but could you just persist the raw,
unescaped text that the user inputs, then use something like this:
<s:property value="%{rawText}" escape="true"/>
-- or --
<c:out value=${rawText} escapeXml="true"/>
For text fields you could then just use the rawText unescaped and it would be
exactly the way the user entered it.
Looking back in the history for this post, this idea is basically what Greg
Lindholm suggested [1].
To reword what he also said about SQL injection:
Just use PreparedStatements with '?' placeholders (or Hibernate, or some other
library which will protect you from SQL injection attacks).
[1]
http://www.nabble.com/Using-POSIX-Regular-Expressions-for-Internationalized-Validation-td19844314.html#a19858027
Brad Cupit
Louisiana State University - UIS
