You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Alex Siman <al...@gmail.com> on 2009/10/16 12:05:03 UTC
Struts 2.1.8: Do we need to escape messages?
I just have found that Struts 2.1.8 escapes messages, so instead of message
(in browser) like:
User with email user@example.com registered successfully.
now I get this one:
User with email <strong>user@example.com</strong> registered
successfully.
In first example I used to escape only the inserted parameter "email".
I am not against automatic escaping of messages. It's good for security. But
I am wonder, how to use expected HTML markup into messages? Maybe you have
any another design solution?
P.S. The downside of upgrades.
--
View this message in context: http://www.nabble.com/Struts-2.1.8%3A-Do-we-need-to-escape-messages--tp25922882p25922882.html
Sent from the Struts - User mailing list archive at Nabble.com.
Re: Struts 2.1.8: Do we need to escape messages?
Posted by Alex Siman <al...@gmail.com>.
These tags are:
<s:actionmessage/>
<s:actionerror/>
I have written about it in this thread already. Please, read this message:
http://www.nabble.com/Re%3A-Struts-2.1.8%3A-Do-we-need-to-escape-messages--p25927098.html
dcabasson wrote:
>
> What code are you using to output this message? Is it a s:text? a
> s:property?
>
> Denis.
>
> Alex Siman a écrit :
>> I just have found that Struts 2.1.8 escapes messages, so instead of
>> message
>> (in browser) like:
>> User with email user@example.com registered successfully.
>>
>> now I get this one:
>> User with email <strong>user@example.com</strong> registered
>> successfully.
>>
>> In first example I used to escape only the inserted parameter "email".
>> I am not against automatic escaping of messages. It's good for security.
>> But
>> I am wonder, how to use expected HTML markup into messages? Maybe you
>> have
>> any another design solution?
>>
>> P.S. The downside of upgrades.
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Struts-2.1.8%3A-Do-we-need-to-escape-messages--tp25922882p25937213.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2.1.8: Do we need to escape messages?
Posted by Denis Cabasson <de...@gmail.com>.
What code are you using to output this message? Is it a s:text? a
s:property?
Denis.
Alex Siman a écrit :
> I just have found that Struts 2.1.8 escapes messages, so instead of message
> (in browser) like:
> User with email user@example.com registered successfully.
>
> now I get this one:
> User with email <strong>user@example.com</strong> registered
> successfully.
>
> In first example I used to escape only the inserted parameter "email".
> I am not against automatic escaping of messages. It's good for security. But
> I am wonder, how to use expected HTML markup into messages? Maybe you have
> any another design solution?
>
> P.S. The downside of upgrades.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2.1.8: Do we need to escape messages?
Posted by Alex Siman <al...@gmail.com>.
Thanks for hint! I have found the where messages get escaped:
<s:actionmessage escape="false"/>
<s:actionerror escape="false"/>
Previously I have this variant:
<s:actionmessage/>
<s:actionerror/>
Now these tags escape messages by default. Beware, upgraders!
I think this note must be included here:
http://struts.apache.org/2.1.8/migration-guide.html
BTW the above link, and many others in wiki, is broken.
Wes Wannemacher wrote:
>
> I don't remember when it was added, but there is an attribute for
> s:property called 'escape' that defaults to 'true'
>
> http://struts.apache.org/2.x/docs/property.html
>
> If you set it to false, then you will probably get what you want.
>
> -Wes
>
> On Fri, Oct 16, 2009 at 6:05 AM, Alex Siman <al...@gmail.com>
> wrote:
>>
>> I just have found that Struts 2.1.8 escapes messages, so instead of
>> message
>> (in browser) like:
>> User with email user@example.com registered successfully.
>>
>> now I get this one:
>> User with email <strong>user@example.com</strong> registered
>> successfully.
>>
>> In first example I used to escape only the inserted parameter "email".
>> I am not against automatic escaping of messages. It's good for security.
>> But
>> I am wonder, how to use expected HTML markup into messages? Maybe you
>> have
>> any another design solution?
>>
>> P.S. The downside of upgrades.
>> --
>> View this message in context:
>> http://www.nabble.com/Struts-2.1.8%3A-Do-we-need-to-escape-messages--tp25922882p25922882.html
>> Sent from the Struts - User mailing list archive at Nabble.com.
>>
>
>
>
> --
> Wes Wannemacher
>
> Head Engineer, WanTii, Inc.
> Need Training? Struts, Spring, Maven, Tomcat...
> Ask me for a quote!
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
--
View this message in context: http://www.nabble.com/Struts-2.1.8%3A-Do-we-need-to-escape-messages--tp25922882p25927098.html
Sent from the Struts - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2.1.8: Do we need to escape messages?
Posted by Wes Wannemacher <we...@wantii.com>.
I don't remember when it was added, but there is an attribute for
s:property called 'escape' that defaults to 'true'
http://struts.apache.org/2.x/docs/property.html
If you set it to false, then you will probably get what you want.
-Wes
On Fri, Oct 16, 2009 at 6:05 AM, Alex Siman <al...@gmail.com> wrote:
>
> I just have found that Struts 2.1.8 escapes messages, so instead of message
> (in browser) like:
> User with email user@example.com registered successfully.
>
> now I get this one:
> User with email <strong>user@example.com</strong> registered
> successfully.
>
> In first example I used to escape only the inserted parameter "email".
> I am not against automatic escaping of messages. It's good for security. But
> I am wonder, how to use expected HTML markup into messages? Maybe you have
> any another design solution?
>
> P.S. The downside of upgrades.
> --
> View this message in context: http://www.nabble.com/Struts-2.1.8%3A-Do-we-need-to-escape-messages--tp25922882p25922882.html
> Sent from the Struts - User mailing list archive at Nabble.com.
>
--
Wes Wannemacher
Head Engineer, WanTii, Inc.
Need Training? Struts, Spring, Maven, Tomcat...
Ask me for a quote!
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts 2.1.8: Do we need to escape messages?
Posted by Denis Cabasson <ca...@gmail.com>.
What code are you using to output this message? Is it a s:text? a
s:property?
Alex Siman a écrit :
> I just have found that Struts 2.1.8 escapes messages, so instead of message
> (in browser) like:
> User with email user@example.com registered successfully.
>
> now I get this one:
> User with email <strong>user@example.com</strong> registered
> successfully.
>
> In first example I used to escape only the inserted parameter "email".
> I am not against automatic escaping of messages. It's good for security. But
> I am wonder, how to use expected HTML markup into messages? Maybe you have
> any another design solution?
>
> P.S. The downside of upgrades.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org