[Proposal] Add flag to escape JSP's EL by default

[mraible <ma...@raibledesigns.com>]

Hello all,

I'm working for a client that's using a proprietary Servlet/JSP-based
framework that runs on Tomcat. They have their own custom JSP compiler and
they're looking to move to a standard JSP compiler. One of the things their
compiler supports is automatic escaping of XML in expressions. For example,
${foo} would be escaped from <body> -> &lt;body&gt;. JSP EL does not do
this. It *doesn't* escape by default and instead requires you to wrap your
expressions with <c:out/> if you want escaping.

I'd like to ask what developers think about adding a flag (similar to
trimSpaces in web.xml) that allows users to change the escaping behavior
from false to true? 

I think this is a good option to have as it allows security-conscious
organizations to paranoid and escape all content by default.

Thanks,

Matt

Related: http://raibledesigns.com/rd/entry/java_web_frameworks_and_xss



-- 
View this message in context: http://www.nabble.com/-Proposal--Add-flag-to-escape-JSP%27s-EL-by-default-tf4388103.html#a12510904
Sent from the Tomcat - Dev mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org