[ http://jira.codehaus.org/browse/DISPL-80?page=comments#action_54650 ]
Ralf Hauser commented on DISPL-80: ---------------------------------- This is important because if the property contains HTML strings, those could possibly be used to construct a cross-site-scripting attack. In struts, String org.apache.struts.taglib.TagUtils.filter(String value) protects against this. > option to automatically escape xml > ---------------------------------- > > Key: DISPL-80 > URL: http://jira.codehaus.org/browse/DISPL-80 > Project: DisplayTag > Type: Improvement > Components: Decorators > Versions: 1.0 RC1 > Reporter: fabrizio giustina > Priority: Minor > Fix For: 1.1 > > > ==== > imported from sf tracker > id 929098 > submitted by Adam Murray - admm > http://sourceforge.net/support/tracker.php?aid=929098 > ==== > I'm displaying some strings that contain xml. These are > not diplayed by the web browser because it tries to > interpret the tag as html. To correct this I have to > use a decorator. It would be nice if there were an > option one could set for the table (or individual > columns) to automatically escape any xml in the strings > being displayed. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ displaytag-devel mailing list displaytag-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/displaytag-devel
