[ http://mc4j.org/jira/browse/STS-256?page=all ]
Tim Fennell resolved STS-256.
-----------------------------
Resolution: Fixed
The field value is now HTML encoded before anything can be done with the error
on a page. I'm not going to encode the other parameters unless there's a
really good reason, since it would stop folks doing (admittedly questionable)
things like:
add(new LocalizableError("/foo.action.bar", "<b>" + username + "</b>");
At the minimum this stops the user from injecting non-HTML values, and if you
run into problems you can always call HtmlUtil.encode() on the additional
parameters, or make a strong case for encoding everything!
> Parameters to validation errors should be HTML Encoded before display on the
> page
> ---------------------------------------------------------------------------------
>
> Key: STS-256
> URL: http://mc4j.org/jira/browse/STS-256
> Project: Stripes
> Issue Type: Bug
> Components: Validation, Tag Library
> Affects Versions: Release 1.4
> Reporter: Andy
> Assigned To: Tim Fennell
> Fix For: Release 1.4.1
>
>
> If a user enters an invalid value in a field that contains HTML characters
> and the error message includes the value as a parameter (e.g. {0} is not a
> valid {1}), then the HTML makes it into the page un-escaped.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://mc4j.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development
