tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Schnitzer <>
Subject Making ${expr} work like <c:out value="${expr}"/>
Date Thu, 16 Jun 2005 08:15:39 GMT
The JSP/JSTL spec has a very sensible default regarding the escaping of 
XML characters in <c:out>.  That is to say, they are escaped unless you 
explicitly disable escaping.  In the days of JSTL 1.0, this had the 
effect of preventing most web designers from inadvertently introducing 
XSS vulnerabilities into their apps.

When JSP 2.0 came out with the free placement of naked ${expr} in JSP 
bodies, I naturally assumed that this expression would do the sensible, 
expected thing and escape XML characters.  I'm horrified to discover 
that this is not the case.

Is there any configuration parameter that tells Tomcat to do the *smart* 
thing rather than follow the spec?  I'd really rather not have to type 
<c:out> everywhere, including inside HTML attributes.  Not to mention 
search-and-replacing through all my existing JSP pages.

How did this behavior get into the spec??

Jeff Schnitzer
Voodoodyne Inc.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message