DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=43497>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43497 Summary: Add ability to escape rendered output of JSP expressions Product: Tomcat 6 Version: 6.0.14 Platform: Other OS/Version: other Status: NEW Severity: enhancement Priority: P3 Component: Jasper AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] JSP's Expression Language does not XML-escape it's content by default. While <c:out> and ${fn:escapeXml(string)} can be used, I think it's a nice option to allow turning on escaping by default - in Tomcat's web.xml. This is similar to the "trimSpaces" option that Tomcat added before it was part of the JSP spec. Related: http://raibledesigns.com/rd/entry/java_web_frameworks_and_xss I'll attach a patch to make this possible. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
