You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2007/09/27 04:03:43 UTC

DO NOT REPLY [Bug 43497] New: - Add ability to escape rendered output of JSP expressions

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43497>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43497

           Summary: Add ability to escape rendered output of JSP expressions
           Product: Tomcat 6
           Version: 6.0.14
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: enhancement
          Priority: P3
         Component: Jasper
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: mraible@apache.org


JSP's Expression Language does not XML-escape it's content by default. While
<c:out> and ${fn:escapeXml(string)} can be used, I think it's a nice option to
allow turning on escaping by default - in Tomcat's web.xml. This is similar to
the "trimSpaces" option that Tomcat added before it was part of the JSP spec.

Related: http://raibledesigns.com/rd/entry/java_web_frameworks_and_xss

I'll attach a patch to make this possible.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 43497] - Add ability to escape rendered output of JSP expressions

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43497>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43497





------- Additional Comments From mraible@apache.org  2007-09-26 19:04 -------
Created an attachment (id=20891)
 --> (http://issues.apache.org/bugzilla/attachment.cgi?id=20891&action=view)
Patch to add the ability to escape the rendered output of JSP's EL by default


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org