[
https://issues.apache.org/struts/browse/WW-3047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=45764#action_45764
]
Lee Clemens commented on WW-3047:
---------------------------------
Correction: The Option's Labels are not being escaped (what this bug report is
for). I have not tested to see if the Option values are escaped.
> doubleselect does not escape quotes in doublelist values
> --------------------------------------------------------
>
> Key: WW-3047
> URL: https://issues.apache.org/struts/browse/WW-3047
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.0.14
> Environment: Tomcat 5.5.17, Windows XP SP2, Firefox 3.0.7
> Reporter: Lee Clemens
>
> Using:
> <s:doubleselect name="priId" doubleName="subId"
> list="mainList" doubleList="subList"
> listKey="value" doubleListKey="value"
> listValue="label" doubleListValue="label"/>
> mainList is a class which contains getSubList(), which returns a list for the
> second drop down.
> Both Lists contain classes which contain getValue() and getLabel() methods.
> A quoted value is properly escaped if from the 'list'; however, the
> 'doublelist' values are not escaped:
> Example of resultant HTML:
> List is escaped:
> <option value="abc">"quotedString"</option>
> However, generated JavaScript for the doubleselect is not escaped:
> FormName_doubleSelectFoo[123][0] = new Option(""quotedString"", "123");
> Which causes the second drop down box to only contain an empty option
> (presumably from error in JavaScript).
> I haven't tested this to ensure it escapes the Labels, however the same issue
> may be present there.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
