Hi All, While testing my app (AppFuse 2.0.1 + Struts2) I noticed a success message from my ApplicationResources.properties file displaying the raw HTML markup (<strong> ... ) rather than processing it.
A Google Search led me to APF 880 in which HTML was removed from AR.properties because of potential XSS holes and messages.jsp was changed to escape HTML. I had originally started my app in AppFuse 2.0 and then upgraded to 2.0.1. In the process, I missed the step of removing markup from my ApplicationResources.properties file. My problem is that I quite liked the ability to mark up the messages and I'm wondering if there's any _safe_ way of reinstating that capability. I know I could just edit my messages.jsp and put "escapeXml=true" in my c:out tags, but of course I'd be re-introducing the XSS risk. Could it be possible to not escape the text of the 18n message, but to escape any variables included in it? TIA, Rob Hills Waikiki, Western Australia Mobile +61 (412) 904-357 Fax: +61 (8) 9529-2137 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
