Error messages can contain <b> or <strong> to highlight input (that my
be a typo).
We don't want any <script> input to popup ie be executed by the response.
escapeJavaScript="false" does not work well. It messes with the layout.
<s:property value="#actionError" escapeHtml="false"
escapeJavaScript="false" />
On 18/06/2026 14:21, Lukasz Lenart wrote:
śr., 17 cze 2026 o 10:18 Greg Huber<[email protected]> napisał(a):
Should it be able to run the script with true?
Using escapeJavaScript="false" breaks the page layout. Allowing html
true, mainly for formatting ie <b> <strong> etc on words.
I use tiles, and this is a generic messages.jsp used everywhere, it only
allows execution in this simple usecase.
Not sure if I understand, you want to accept any user input including
<b/>, <script/>, etc. tags, but only display <b> and escape <script/>?
Cheers
Łukasz
---------------------------------------------------------------------
To unsubscribe, e-mail:[email protected]
For additional commands, e-mail:[email protected]
