Looking into this, basically you cannot use escapeHtml=false and
escapeJavaScript=true and have <b></b> <strong></strong> <em></em> etc
work. There is too much of an overlap between
what StringEscapeUtils.escapeEcmaScript(result) does trying to escape
slashes with html slashes (ie you get <b><\/b>, an unterminated <b>
which messes with the layout).
Guess I will need remove escapeHtml=false.
https://struts.apache.org/tag-developers/property-tag
Maybe there should be a warning on the escapeHtml tag text not to set to
false without setting escapeJavaScript=true, otherwise it will execute
the "script" in the response.
On 24/06/2026 07:58, Łukasz Lenart wrote:
pt., 19 cze 2026 o 08:50 Greg Huber<[email protected]> napisał(a):
Error messages can contain <b> or <strong> to highlight input (that my
be a typo).
We don't want any <script> input to popup ie be executed by the response.
escapeJavaScript="false" does not work well. It messes with the layout.
<s:property value="#actionError" escapeHtml="false"
escapeJavaScript="false" />
So this used to work like this? with no escape and <script/> was
stripped/escaped automatically?
<s:property value="#actionError"/>
Cheers
Łukasz
---------------------------------------------------------------------
To unsubscribe, e-mail:[email protected]
For additional commands, e-mail:[email protected]