If we can fix this then good.

If I understand it correctly, escapehtml=false, then apply either escapeJavaScript or escapeXml or escapeCsv ?

I did try this, (escapeHtml -> escapeJavaScript) but was left with the unterminated html

the quick fix I used for the layout problem, was to drop escapeJavaScript add an additional escape on any field that returned into the response (with escapehtml=false)

 s = Strings.CS.replace(s, "\"", """);
 s = Strings.CS.replace(s, "<", "&lt;");
 s = Strings.CS.replace(s, ">", "&gt;");

Probably not the correct way comparing with commons.text escapeEcmaScript (the experts), but escaping js correctly and make it play nicely seems a minefield.


On 26/06/2026 11:34, Lukasz Lenart wrote:
śr., 24 cze 2026 o 11:31 Greg Huber<[email protected]> napisał(a):
Looking into this, basically you cannot use escapeHtml=false and
escapeJavaScript=true and have <b></b> <strong></strong> <em></em> etc
work.  There is too much of an overlap between
what StringEscapeUtils.escapeEcmaScript(result) does trying to escape
slashes with html slashes (ie you get <b><\/b>, an unterminated <b>
which messes with the layout).

Guess I will need remove escapeHtml=false.

https://struts.apache.org/tag-developers/property-tag

Maybe there should be a warning on the escapeHtml tag text not to set to
false without setting escapeJavaScript=true, otherwise it will execute
the "script" in the response.
Does this sound good?
https://issues.apache.org/jira/browse/WW-5639


Cheers
Łukasz

---------------------------------------------------------------------
To unsubscribe, e-mail:[email protected]
For additional commands, e-mail:[email protected]

Reply via email to