Forgive my ignorance, but isn't this only an issue if you treat jsp
like php? If you are using a framework like stripes, you can sanitize
the input in the controller either with an interceptor or by putting
sanitization logic in the set method in the action bean. The default
namespace in jsp is tied to the page context, the request context, the
application context and the session context, NOT the parameter
context. You must explicilt put ${param.name} to get an input
parameter. This would be a big warning flag if found in any app.
Sent from my iPod
On Sep 27, 2009, at 4:08 PM, Dominic Mitchell <[email protected]>
wrote:
> On Sun, Sep 27, 2009 at 8:53 PM, Alex Turner <[email protected]> wrote:
> JSP may not be the slickest templating system, but it's easy and
> gets the job done.
>
> The problem I always found with JSP was that there was no way to get
> it to escape HTML by default (unless I tell it otherwise). This
> means I have to say <c:out value="foo" /> for every single
> variable. If I forget ― boom, instant cross-site-scripting hole.
>
> It's quite likely that I've simply missed some configuration
> setting, but I didn't see it when I hunted for it.
>
> In the Perl world, I used HTML::Mason, which worked well and offered
> this feature.
>
> -Dom
>
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "The
Java Posse" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/javaposse?hl=en
-~----------~----~----~----~------~----~------~--~---
