There is a bug in the form:form tag - the action value is never HTML-escaped, even if the htmlEscape attribute is set to true. I'm wondering (a) if there's a simple workaround for this, and (b) whether the bug is in my understanding rather than in the code.

The bug is in org.springframework.web.servlet.tags.form.FormTag. resolveAction(). It calls ObjectUtils.getDisplayString(), whcih ignores the HTML escape setting. It should instead call this.getDisplayString().

I ran into this in a portlet application. Here's the context in which I use this. I'm in a JSP 1.2 container, so no fancy JSTL functions for me.

Code:
<portlet:actionURL var="submitUrl" portletMode="view" windowState="normal">
</portlet:actionURL>
<form:form method="post" action="${submitUrl}">
...
The generated submitUrl contains lots of ampersands, which mess up my nice beautiful XHTML code. I'd appreciate any suggestions on ovoiding this.