Looking into this, basically you cannot use escapeHtml=false and escapeJavaScript=true and have <b></b> <strong></strong> <em></em> etc work.  There is too much of an overlap between what StringEscapeUtils.escapeEcmaScript(result) does trying to escape slashes with html slashes (ie you get <b><\/b>, an unterminated <b> which messes with the layout).

Guess I will need remove escapeHtml=false.

https://struts.apache.org/tag-developers/property-tag

Maybe there should be a warning on the escapeHtml tag text not to set to false without setting escapeJavaScript=true, otherwise it will execute the "script" in the response.

On 24/06/2026 07:58, Łukasz Lenart wrote:
pt., 19 cze 2026 o 08:50 Greg Huber<[email protected]> napisał(a):
Error messages can contain <b> or <strong> to highlight input (that my
be a typo).

We don't want any <script> input to popup ie be executed by the response.

escapeJavaScript="false" does not work well.  It messes with the layout.

<s:property value="#actionError" escapeHtml="false"
escapeJavaScript="false"  />
So this used to work like this? with no escape and <script/> was
stripped/escaped automatically?

<s:property value="#actionError"/>


Cheers
Łukasz

---------------------------------------------------------------------
To unsubscribe, e-mail:[email protected]
For additional commands, e-mail:[email protected]

Reply via email to