ok, cool :)
2016-11-12 9:43 GMT+01:00 Greg Huber <gregh3...@gmail.com>:
>> <s:text name="<script>alert('ok')</script>" />
>>In the latest build? Because is see something like this in source page
>>Test: <script>alert(\'ok\')<\/script>
>
> OK, is escaped.
>
> <script>alert(\'ok\')<\/script>
>
> ##
>
>> script.test=<script type="text/javascript">alert("ok");</script>
>> <s:text name="script.test"/>
>
> script.test is in my .properties file, but as we are not escaping I would
> expect this to pop.
>
> My tests:
>
> <s:if test="#parameters.contains('error')">
> <ul>
> <li>
> 1<s:text name="#parameters.get('error').value"/>
> </li>
> <li>
> 2 <s:text name="#parameters.error"/>
> </li>
> <li>
> 3 <s:property value="#parameters.error"/>
> </li>
> <li>
> <s:text name="getParameter('error')" />
> </li>
> <li>
> 4 <s:property
> value="%{#parameters.get('error').value}"/>
> </li>
> <li>
> 5 <s:text name="<script>alert('ok')</script>" />
> </li>
> <li>
> 6 <s:text name="script.test"/>
> </li>
> </ul>
> </s:if>
>
> - 1#parameters.get(\'error\').value
> - 2 #parameters.error
> - 3 <script type="text/javascript">alert("ok");</script>
> - getParameter(\'error\')
> - 4
> - 5 <script>alert(\'ok\')<\/script>
> - 6
>
> #6 is the only one now that pops which is correct.
>
>
> On 12 November 2016 at 08:24, Lukasz Lenart <lukaszlen...@apache.org> wrote:
>
>> 2016-11-11 12:23 GMT+01:00 Greg Huber <gregh3...@gmail.com>:
>> >> <s:text name="<script>alert('ok')</script>" />
>> >
>> > ....this pops!
>>
>> In the latest build? Because is see something like this in source page
>>
>> Test: <script>alert(\'ok\')<\/script>
>>
>> >> Maybe we should've thought about renaming this tag
>> >
>> >
>> > Think we are OK here as it does say what it does, maybe could add more
>> info
>> > in the hover if we are going to change it. Currently is says "Render a
>> > I18n text message"
>> >
>> > ##
>> >
>> > <s:text name="script.test"/>
>> > script.test=<script type="text/javascript">alert("ok");</script>
>>
>> I assume you meant that "script.test=<script
>> type="text/javascript">alert("ok");</script>" is passed a request
>> parameter? So again are using the latest build because I cannot
>> confirm this.
>>
>> > ..but do have html in the ApplicationResources.properties file so
>> sometimes
>> > I want it rendered as html eg <em>Important</em> but any
>> <script></script>
>> > could be a escaped when its loaded from the file initially? Its
>> difficult
>> > to say how far to take this!
>>
>> To be clear, this won't affect your messages from .properties files,
>> so if you are using html in there you will get that html on your page,
>> it won't be escaped. Right now, after disabling searching default
>> message in ValueStack, even escaping is not needed.
>>
>> > Think reducing the scope of <s:text> is worth doing, its easy to convert
>> to
>> > <s:property> and also reduces the duplication / maintenance also.
>>
>> Yes, but both these tags have different use cases, so I would leave
>> them just improve.
>>
>>
>> Regards
>> --
>> Ćukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
>> For additional commands, e-mail: dev-h...@struts.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
