[
https://issues.apache.org/jira/browse/WW-4742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15885510#comment-15885510
]
Lukasz Lenart commented on WW-4742:
-----------------------------------
The problem is that, that someone can use this to perform a security breach,
that's why we're escaping those messages but let me think about possible
solution, I will take this over :)
> Problem with escape when the key from getText has no value
> ----------------------------------------------------------
>
> Key: WW-4742
> URL: https://issues.apache.org/jira/browse/WW-4742
> Project: Struts 2
> Issue Type: Bug
> Components: Core Tags
> Affects Versions: 2.5.8, 2.5.10
> Reporter: Mateus Carvalho
> Priority: Minor
> Fix For: 2.5.next
>
>
> When using an encoding like ISO-8859-1 and having the following situation:
> {code:title=message.ftl|borderStyle=solid}
> ...
> <@s.text name="Obrigatório - not mapped word in any dictionary" />
> ...
> {code}
> We have the following output after update 2.5.8:
> {code}
> Obrigat\u00F3rio - not mapped word in any dictionary
> {code}
> After careful look at the source code and issues from the 2.5.8 I found the
> problem happens just in one added line on WW-4712, the following part of the
> code:
> {code:title=TextProviderHelper.java|borderStyle=solid}
> ...
> public static String getText(String key, String defaultMessage, List<Object>
> args, ValueStack stack, boolean searchStack) {
> ...
> //This escape causes the problem
> msg = StringEscapeUtils.escapeEcmaScript(msg);
> ...
> }
> ...
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
