You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2007/09/27 04:03:43 UTC
DO NOT REPLY [Bug 43497] New: - Add ability to escape rendered output of JSP expressions
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43497>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43497
Summary: Add ability to escape rendered output of JSP expressions
Product: Tomcat 6
Version: 6.0.14
Platform: Other
OS/Version: other
Status: NEW
Severity: enhancement
Priority: P3
Component: Jasper
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: mraible@apache.org
JSP's Expression Language does not XML-escape it's content by default. While
<c:out> and ${fn:escapeXml(string)} can be used, I think it's a nice option to
allow turning on escaping by default - in Tomcat's web.xml. This is similar to
the "trimSpaces" option that Tomcat added before it was part of the JSP spec.
Related: http://raibledesigns.com/rd/entry/java_web_frameworks_and_xss
I'll attach a patch to make this possible.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43497] - Add ability to escape rendered output of JSP expressions
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43497>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43497
------- Additional Comments From mraible@apache.org 2007-09-26 19:04 -------
Created an attachment (id=20891)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=20891&action=view)
Patch to add the ability to escape the rendered output of JSP's EL by default
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org