[
https://issues.apache.org/jira/browse/WW-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12849681#action_12849681
]
Lukasz Lenart commented on WW-3405:
-----------------------------------
It took only two weeks ;-)
> fielderror -tag does not escape the error message if param tag is used
> ----------------------------------------------------------------------
>
> Key: WW-3405
> URL: https://issues.apache.org/jira/browse/WW-3405
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.1.8.1
> Environment: Windows Vista, Weblogic 10.3.2, Struts 2.1.8.1
> Reporter: Petteri Kauko
> Assignee: Lukasz Lenart
> Priority: Critical
> Fix For: 2.2.0
>
>
> Noticed this when I wanted to have the field contents as part of the error
> message. In this case, the error message I'm using has ${trackingCode} as
> part of it and there's a input field in the form named trackingCode. Class
> error_text is simple class, that colors the text red.
> When using fielderror as follows:
> <s:fielderror theme="simple" cssClass="error_text" />
> If the field trackingCode contains javascript, the script is just printed on
> the page as part of the error message. Also possible HTML -entities in
> resource bundle are printed out with the ampersand -> ä is just printed
> out as it was in the resource bundle.
> When using fielderror like this:
> <s:fielderror theme="simple" cssClass="error_text" >
> <s:param>trackingCode</s:param>
> </s:fielderror>
> If the field trackingCode contains javascript, the script is executed on page
> load. Also any HTML -entities in resource bundle are not escaped, hence
> ä becomes รค on the page.
> I think this is an obvious bug, but was unable to find an issue of it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
