webappenhance Multiple escaping when passing variables

Multiple escaping when passing variables

Open mikeya opened this issue 10 years ago • 6 comments

trafficstars

It'd be nice to figure out a pattern that doesn't cause for multiple escaping. For example:

<c:set var='testEscapingVar' value='<script>alert(\"boo\");</script>"'/>
<c:set var='testEscapingVar' value='${testEscapingVar}'/>
<c:set var='testEscapingVar' value='${testEscapingVar}'/>

${testEscapingVar}

causes: &lt;script&gt;alert(&#034;boo&#034;);&lt;/script&gt;&#034;

any thoughts?

Jun 16 '15 00:06 mikeya

You can disable escaping for all of the variable references except for one:

<%@ taglib prefix="enhance" uri="http://pukkaone.github.com/jsp" %>

<enhance:out escapeXml="false">
  <c:set var='testEscapingVar' value='<script>alert(\"boo\");</script>"'/>
  <c:set var='testEscapingVar' value='${testEscapingVar}'/>
</enhance:out>
<c:set var='testEscapingVar' value='${testEscapingVar}'/>

${testEscapingVar}

Jun 16 '15 05:06 pukkaone

I understand, but what if we're passing around variables through jsps/jspfs, I'd really like to avoid tagging a bunch of places with <enhance:out escapeXml="false"></enhance:out>

Jun 16 '15 16:06 mikeya

The pattern I suggest is make a JSP a passive view in which it does not implement any presentation logic where it sets a variable. The JSP only reads variables.

Jun 17 '15 22:06 pukkaone

Why do you need to escape manually if it automatically escapes?

May 22 '17 09:05 AlexByte

With EscapeXmlELResolverListener registered, the values from all JSP variable references will be escaped. Sometimes you don't want the values escaped. The tag <enhance:out escapeXml="false"> disables escaping.

May 22 '17 13:05 pukkaone

I know it. Its the question to the author of the issue.

May 22 '17 13:05 AlexByte

webappenhance webappenhance copied to clipboard

Multiple escaping when passing variables

webappenhance
webappenhance copied to clipboard