You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Jeff Schnitzer <je...@infohazard.org> on 2005/06/16 10:15:39 UTC

Making ${expr} work like

The JSP/JSTL spec has a very sensible default regarding the escaping of 
XML characters in <c:out>.  That is to say, they are escaped unless you 
explicitly disable escaping.  In the days of JSTL 1.0, this had the 
effect of preventing most web designers from inadvertently introducing 
XSS vulnerabilities into their apps.

When JSP 2.0 came out with the free placement of naked ${expr} in JSP 
bodies, I naturally assumed that this expression would do the sensible, 
expected thing and escape XML characters.  I'm horrified to discover 
that this is not the case.

Is there any configuration parameter that tells Tomcat to do the *smart* 
thing rather than follow the spec?  I'd really rather not have to type 
<c:out> everywhere, including inside HTML attributes.  Not to mention 
search-and-replacing through all my existing JSP pages.

How did this behavior get into the spec??

Jeff Schnitzer
Voodoodyne Inc.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org