The JSP/JSTL spec has a very sensible default regarding the escaping of
XML characters in <c:out>. That is to say, they are escaped unless you
explicitly disable escaping. In the days of JSTL 1.0, this had the
effect of preventing most web designers from inadvertently introducing
XSS vulnerabilities into their apps.
When JSP 2.0 came out with the free placement of naked ${expr} in JSP
bodies, I naturally assumed that this expression would do the sensible,
expected thing and escape XML characters. I'm horrified to discover
that this is not the case.
Is there any configuration parameter that tells Tomcat to do the *smart*
thing rather than follow the spec? I'd really rather not have to type
<c:out> everywhere, including inside HTML attributes. Not to mention
search-and-replacing through all my existing JSP pages.
How did this behavior get into the spec??
Jeff Schnitzer
Voodoodyne Inc.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
