I have an existing web application to which i need to add protection against script attacks. For this i need to escape string before displaying on pages. One approach is a servlet filter. Other one which i am exploring is, can i write a ELResolver which escapes output of any other ELresolvers (array, map etc) if the return is of type string? Thanks,
+1
A:
How about using JSTL core out tag? Core out tag escapes the passed value by default.
Marimuthu Madasamy
2010-07-22 15:22:18
Definitely the right way to go. I really wonder why EL missed the boat on this one and doesn't escape output.
laz
2010-07-22 15:28:11
@laz: because the output is not in all cases controlled by enduser. Only user-controlled input (request headers, request parameters, request body, etc) which is going to be redisplayed in the output is. The same "problem" exhibits in all other webbased templating languages like PHP, ASP, JSP(Scriptlets), etc. This is not EL specific. It's the webdeveloper who's responsible for preventing XSS, as he is for preventing SQL injections.
BalusC
2010-07-22 17:22:50
Well when you put it that way it makes sense ;).I'm still not completely sold though. I'm probably not imagining hard enough, but I can't think of many cases where you would want the output of an EL statement to display unescaped HTML. Am I missing something obvious? I'd think that would be the exception and not the rule. Then you could use <c:out> with escapeXml set to false. Then the intention is explicit.
laz
2010-07-22 21:01:38
+2
A:
There are two ways to achieve this with help of JSTL (if not installed yet, just drop jstl-1.2.jar in /WEB-INF/lib folder).
Use
<c:out>tag of the JSTL core taglib. It by default escapes XML (and thus also HTML) special characters.<c:out value="${param.foo}" />Use
fn:escapeXml()function of the JSTL functions taglib. This is been used "under the hoods" by the<c:out>tag. More useful if you want more XML well formed output and/or don't want to pollute your JSP with tags nested in attributes of other tags:<input name="foo" value="${fn:escapeXml(param.foo)}">
See also:
Update: as per your update/comment which you incorrectly posted as an answer:
c:out and fn:escapeXml are the obvious options. But I am just being lazy trying to avoid changes to multiple jsps, if i can achieve the same at one place.
No, you can't. Let this be a lesson for the next time to properly sanitize the user controlled inputs from the beginning on.
BalusC
2010-07-22 15:54:02
wouldn't it be ${fn:escapeXml(param.foo)} instead of fn.escapeXML?
Marimuthu Madasamy
2010-07-22 17:40:55
@Marimutho: right, that was just a typo. Maybe I was pressing the `Shift` key too late :) (Dutch keyboard layout)
BalusC
2010-07-22 18:06:41