If we can fix this then good.
If I understand it correctly, escapehtml=false, then apply either
escapeJavaScript or escapeXml or escapeCsv ?
I did try this, (escapeHtml -> escapeJavaScript) but was left with the
unterminated html
the quick fix I used for the layout problem, was to drop
escapeJavaScript add an additional escape on any field that returned
into the response (with escapehtml=false)
s = Strings.CS.replace(s, "\"", """);
s = Strings.CS.replace(s, "<", "<");
s = Strings.CS.replace(s, ">", ">");
Probably not the correct way comparing with commons.text
escapeEcmaScript (the experts), but escaping js correctly and make it
play nicely seems a minefield.
On 26/06/2026 11:34, Lukasz Lenart wrote:
śr., 24 cze 2026 o 11:31 Greg Huber<[email protected]> napisał(a):
Looking into this, basically you cannot use escapeHtml=false and
escapeJavaScript=true and have <b></b> <strong></strong> <em></em> etc
work. There is too much of an overlap between
what StringEscapeUtils.escapeEcmaScript(result) does trying to escape
slashes with html slashes (ie you get <b><\/b>, an unterminated <b>
which messes with the layout).
Guess I will need remove escapeHtml=false.
https://struts.apache.org/tag-developers/property-tag
Maybe there should be a warning on the escapeHtml tag text not to set to
false without setting escapeJavaScript=true, otherwise it will execute
the "script" in the response.
Does this sound good?
https://issues.apache.org/jira/browse/WW-5639
Cheers
Łukasz
---------------------------------------------------------------------
To unsubscribe, e-mail:[email protected]
For additional commands, e-mail:[email protected]