Details
-
Type:
Improvement
-
Status:
Resolved
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 2.0-RC1
-
Fix Version/s: 2.0 Final
-
Component/s: Web - JSF, Web - Spring, Web - Tapestry
-
Labels:None
-
Environment:winxp, jetty, postgres, IE
Description
I use addError(...) to reflect messages to user - including user input
if user input is something like <script>alert('hi');</script> - JS is being executed.
old:
<c:out value="$
I suggest:
<c:out value="${msg}
" escapeXml="true"/>
same goes with errors. -> $
{error}
