Jsp tags not working together with EL expressions

[naftolib]

trafficstars

Hi. I would like to report an issue that when using the encoder with jsp tags it works perfectly only when using static content like this: <e:forHtml value="</script>" but not when using EL like this: <e:forHtml value="${param.id}"\>. When using EL, the expression isn't being evaluated but rather gets printed as is on the screen. There might be something wrong with my web.xml and would need additional configs to make it work, or there might be something with the tags that they do not support EL. Please look into it.

Thanks a lot

[jmanico]

cc @jeremylong cc @kwwall help?

[jeremylong]

@naftolib We would need a little more information about your project to help - as you appear to be using the exact same syntax that was tested and is documented: https://github.com/OWASP/owasp-java-encoder/blob/main/jsp/src/site/markdown/index.md#jsp-usage

If you are using EL - I would avoid using the tags and just use: ${e:forHtml(param.value)}

[naftolib]

I have tried this syntax as well ${e:forHtml(param.value)} but had the same issue. I managed to create my own tag around as a wrapper to the owasp-tag and using apache ExpressionUtil was able to get the expressions evaluated. If indeed EL was tested and works for you that it's most probably our project setup which is causing the issue. Unfortunately I can not share any project specific details publicly. Thanks for your research