Snippets from another offline conversation with the Tomact folks..
>> Has Tomcat (the container) considered checking input URIs for scripting >> tags and rendering them innocuous by substitution (e.g. <script> --> >> <script>) therefore never writing back scripting tags to the >> browser? Are there drawbacks to this approach? I think it's been considered in the past, though I'm not certain what the conclusions were. It wouldn't be that hard to do with a Valve for the server as a whole, or with a Filter (which would also be server-independent and thus more portable) for a specific webapp. >> Do you forsee any difficulty with using a jsp-examples snapshot from >> 5.5.16 with the Tomcat 5.5.15 runtime? No, that should be fine. >> Better yet, any chance of >> getting the TC 5.5.15 jsp-examples war with the security vulnerability >> fixed? No, we don't want to re-package and re-tag for this issue.
