[jira] Updated: (STR-3092) ErrorsTag should filter arguments for html display

Wed, 29 Aug 2007 18:34:58 -0700 

     [ 
https://issues.apache.org/struts/browse/STR-3092?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Paul Benedict updated STR-3092:
-------------------------------

          Environment:     (was: not sure about this field)
    Affects Version/s: 1.1.1
        Fix Version/s: 1.4.0
             Assignee: Paul Benedict
              Summary: ErrorsTag should filter arguments for html display  
(was: org.apache.struts.taglib.html.ErrorsTag should filter arguments for html 
display)

> ErrorsTag should filter arguments for html display
> --------------------------------------------------
>
>                 Key: STR-3092
>                 URL: https://issues.apache.org/struts/browse/STR-3092
>             Project: Struts 1
>          Issue Type: Improvement
>          Components: Taglibs
>    Affects Versions: 1.1.1
>            Reporter: Juan Duran
>            Assignee: Paul Benedict
>            Priority: Minor
>             Fix For: 1.4.0
>
>
> Unlike bean:write,  html:errors doesn't filter for html the arguments that 
> may go along the message.
> In my opinion, those arguments should be filtered for html by default as this 
> is the purpose of the ErrorsTag (to display in html).
> Sometimes we may want to include the user input in the error message after 
> some validation.  For example, say I want to validate that a nameserver is a 
> valid registered nameserver.  I would take the user input , run the 
> validation service and would like my error message to be declared in the 
> resources file as:
> error.invalid.dns={0} is not a registered nameserver
> if the user wants to screw my display, then he may enter something like 
> "seehowthislooks<hr>"  The html element doesn't get filtered out.
> I believe ErrorsTag should make use of    TagUtils.filter(value) in the 
> doStartTag method (which is used by org.apache.struts.taglib.bean.WriteTag).  
> that would take care of this issue.
> workaround
> ----------------
> Of course, we could do the filter before creating the error (ActionMessage),  
> but it would be nice to have this feature just as it happens with bean:write
> Thanks!

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to