Struts 2.1.8: Do we need to escape messages?

[Alex Siman <al...@gmail.com>]

I just have found that Struts 2.1.8 escapes messages, so instead of message
(in browser) like:
User with email user@example.com registered successfully.

now I get this one:
User with email <strong>user@example.com</strong> registered
successfully.

In first example I used to escape only the inserted parameter "email".
I am not against automatic escaping of messages. It's good for security. But
I am wonder, how to use expected HTML markup into messages? Maybe you have
any another design solution?

P.S. The downside of upgrades.
-- 
View this message in context: http://www.nabble.com/Struts-2.1.8%3A-Do-we-need-to-escape-messages--tp25922882p25922882.html
Sent from the Struts - User mailing list archive at Nabble.com.

Re: Struts 2.1.8: Do we need to escape messages?

[Alex Siman <al...@gmail.com>]

These tags are:

        <s:actionmessage/>
        <s:actionerror/> 

I have written about it in this thread already. Please, read this message:
http://www.nabble.com/Re%3A-Struts-2.1.8%3A-Do-we-need-to-escape-messages--p25927098.html

dcabasson wrote:
> 
> What code are you using to output this message? Is it a s:text? a 
> s:property?
> 
> Denis.
> 
> Alex Siman a écrit :
>> I just have found that Struts 2.1.8 escapes messages, so instead of
>> message
>> (in browser) like:
>> User with email user@example.com registered successfully.
>>
>> now I get this one:
>> User with email &lt;strong&gt;user@example.com&lt;/strong&gt; registered
>> successfully.
>>
>> In first example I used to escape only the inserted parameter "email".
>> I am not against automatic escaping of messages. It's good for security.
>> But
>> I am wonder, how to use expected HTML markup into messages? Maybe you
>> have
>> any another design solution?
>>
>> P.S. The downside of upgrades.
>>   
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Struts-2.1.8%3A-Do-we-need-to-escape-messages--tp25922882p25937213.html
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Struts 2.1.8: Do we need to escape messages?

[Denis Cabasson <de...@gmail.com>]

What code are you using to output this message? Is it a s:text? a 
s:property?

Denis.

Alex Siman a écrit :
> I just have found that Struts 2.1.8 escapes messages, so instead of message
> (in browser) like:
> User with email user@example.com registered successfully.
>
> now I get this one:
> User with email <strong>user@example.com</strong> registered
> successfully.
>
> In first example I used to escape only the inserted parameter "email".
> I am not against automatic escaping of messages. It's good for security. But
> I am wonder, how to use expected HTML markup into messages? Maybe you have
> any another design solution?
>
> P.S. The downside of upgrades.
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Struts 2.1.8: Do we need to escape messages?

[Alex Siman <al...@gmail.com>]

Thanks for hint! I have found the where messages get escaped:

	<s:actionmessage escape="false"/>
	<s:actionerror escape="false"/>

Previously I have this variant:

	<s:actionmessage/>
	<s:actionerror/>

Now these tags escape messages by default. Beware, upgraders!

I think this note must be included here:
http://struts.apache.org/2.1.8/migration-guide.html

BTW the above link, and many others in wiki, is broken.

Wes Wannemacher wrote:
> 
> I don't remember when it was added, but there is an attribute for
> s:property called 'escape' that defaults to 'true'
> 
> http://struts.apache.org/2.x/docs/property.html
> 
> If you set it to false, then you will probably get what you want.
> 
> -Wes
> 
> On Fri, Oct 16, 2009 at 6:05 AM, Alex Siman <al...@gmail.com>
> wrote:
>>
>> I just have found that Struts 2.1.8 escapes messages, so instead of
>> message
>> (in browser) like:
>> User with email user@example.com registered successfully.
>>
>> now I get this one:
>> User with email &lt;strong&gt;user@example.com&lt;/strong&gt; registered
>> successfully.
>>
>> In first example I used to escape only the inserted parameter "email".
>> I am not against automatic escaping of messages. It's good for security.
>> But
>> I am wonder, how to use expected HTML markup into messages? Maybe you
>> have
>> any another design solution?
>>
>> P.S. The downside of upgrades.
>> --
>> View this message in context:
>> http://www.nabble.com/Struts-2.1.8%3A-Do-we-need-to-escape-messages--tp25922882p25922882.html
>> Sent from the Struts - User mailing list archive at Nabble.com.
>>
> 
> 
> 
> -- 
> Wes Wannemacher
> 
> Head Engineer, WanTii, Inc.
> Need Training? Struts, Spring, Maven, Tomcat...
> Ask me for a quote!
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Struts-2.1.8%3A-Do-we-need-to-escape-messages--tp25922882p25927098.html
Sent from the Struts - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Struts 2.1.8: Do we need to escape messages?

[Wes Wannemacher <we...@wantii.com>]

I don't remember when it was added, but there is an attribute for
s:property called 'escape' that defaults to 'true'

http://struts.apache.org/2.x/docs/property.html

If you set it to false, then you will probably get what you want.

-Wes

On Fri, Oct 16, 2009 at 6:05 AM, Alex Siman <al...@gmail.com> wrote:
>
> I just have found that Struts 2.1.8 escapes messages, so instead of message
> (in browser) like:
> User with email user@example.com registered successfully.
>
> now I get this one:
> User with email &lt;strong&gt;user@example.com&lt;/strong&gt; registered
> successfully.
>
> In first example I used to escape only the inserted parameter "email".
> I am not against automatic escaping of messages. It's good for security. But
> I am wonder, how to use expected HTML markup into messages? Maybe you have
> any another design solution?
>
> P.S. The downside of upgrades.
> --
> View this message in context: http://www.nabble.com/Struts-2.1.8%3A-Do-we-need-to-escape-messages--tp25922882p25922882.html
> Sent from the Struts - User mailing list archive at Nabble.com.
>



-- 
Wes Wannemacher

Head Engineer, WanTii, Inc.
Need Training? Struts, Spring, Maven, Tomcat...
Ask me for a quote!

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Struts 2.1.8: Do we need to escape messages?

[Denis Cabasson <ca...@gmail.com>]

What code are you using to output this message? Is it a s:text? a 
s:property?

Alex Siman a écrit :
> I just have found that Struts 2.1.8 escapes messages, so instead of message
> (in browser) like:
> User with email user@example.com registered successfully.
>
> now I get this one:
> User with email <strong>user@example.com</strong> registered
> successfully.
>
> In first example I used to escape only the inserted parameter "email".
> I am not against automatic escaping of messages. It's good for security. But
> I am wonder, how to use expected HTML markup into messages? Maybe you have
> any another design solution?
>
> P.S. The downside of upgrades.
>   


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org