On 21/3/02 10:53 PM, "Rickard" ([EMAIL PROTECTED]) penned the words:
> Taavi Tiirik wrote: > <<snipped>> >> >> Please share your thoughts about this. How do you deal with this? > > This is a very good question, that I haven't deal with myself (but need to). Surely you have? Easy way to replicate a bug on your new TSS system then : - anywhere there is a text field which is prefilled, enter the value 'foo"bar' - store and reload the text field somehow (eg go to an 'edit' page of a CRUD system) - the textfield will say 'foo' and will be now saved as 'foo' when you submit the form. > Are there any occasions where it is *not* necessary to escape the > output? I.e. should we always do it? There's no reason to escape it in normal HTML. It might have < or > in it that you WANT to be interpretted as tags (or even "). The only place you want it to be escaped is inside an attribute, inside a <textarea> or sometimes inside HTML (ie displaying a value). At the moment I handle this by wrapping a <view:escape> tag around the property tag - I have a modified set of JSP templates which do this (and other things - like multiple selects, header rows, descriptions). Again, waiting on 1.0 to get done before I commit any of these. -mike Mike Cannon-Brookes [EMAIL PROTECTED] ATLASSIAN - Your J2EE Expert Partner -------------------------------------------------------- > Brilliant Software - http://www.atlassian.com/software > Legendary Services - http://www.atlassian.com/support _______________________________________________ Webwork-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webwork-user
