2016-11-11 12:23 GMT+01:00 Greg Huber <gregh3...@gmail.com>:
>> <s:text name="<script>alert('ok')</script>" />
>
> ....this pops!
In the latest build? Because is see something like this in source page
Test: <script>alert(\'ok\')<\/script>
>> Maybe we should've thought about renaming this tag
>
>
> Think we are OK here as it does say what it does, maybe could add more info
> in the hover if we are going to change it. Currently is says "Render a
> I18n text message"
>
> ##
>
> <s:text name="script.test"/>
> script.test=<script type="text/javascript">alert("ok");</script>
I assume you meant that "script.test=<script
type="text/javascript">alert("ok");</script>" is passed a request
parameter? So again are using the latest build because I cannot
confirm this.
> ..but do have html in the ApplicationResources.properties file so sometimes
> I want it rendered as html eg <em>Important</em> but any <script></script>
> could be a escaped when its loaded from the file initially? Its difficult
> to say how far to take this!
To be clear, this won't affect your messages from .properties files,
so if you are using html in there you will get that html on your page,
it won't be escaped. Right now, after disabling searching default
message in ValueStack, even escaping is not needed.
> Think reducing the scope of <s:text> is worth doing, its easy to convert to
> <s:property> and also reduces the duplication / maintenance also.
Yes, but both these tags have different use cases, so I would leave
them just improve.
Regards
--
Ćukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
