2009/9/28 Alex Turner <[email protected]> > Forgive my ignorance, but isn't this only an issue if you treat jsp like > php? If you are using a framework like stripes, you can sanitize the input > in the controller either with an interceptor or by putting sanitization > logic in the set method in the action bean. The default namespace in jsp is > tied to the page context, the request context, the application context and > the session context, NOT the parameter context. You must explicilt put ${ > param.name} to get an input parameter. This would be a big warning flag > if found in any app. >
You're getting confused with sanitizing input and sanitizing output (I think). I'm talking about the latter. And it seems to me that it's the job of the view technology to be certain that it's generating the view 100% correctly, i.e. escaping HTML unless you ask it not to. I shouldn't have to call escaping functions when passing data to the view — that presupposes too much about what the view will be doing. What I would like ideally would be something like google-ctemplate. That automatically escapes correctly based on context. But that's for C++… http://code.google.com/p/google-ctemplate/ -Dom --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "The Java Posse" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/javaposse?hl=en -~----------~----~----~----~------~----~------~--~---
