On 19/08/2011 00:40, Kin-man Chung wrote:
> I've compiled a list of features that we plan to do for this JSR. See
> the wiki
>
> http://java.net/projects/el-spec/pages/FeatureList
>
> The items in the list are grouped under 4 priorities, in no particular
> order.
>
> I still need to over the bugs in JSP and UEL to add feature requests or
> bug reports to the list.
>
> Please feel free to arrange the list or add to it.
If others agree, I'd like to see String concatenation and cache control
bumped up the priority list.
Other than that, it looks good to me.
One additional feature request I have seen is for context sensitive
encoding of output (i.e. HTML encoded, Javascript encoded, CSS encoded
etc.) to ensure that the output of the EL is safe to use (e.g. no XSS).
I am not at all sure EL is the right place to implement this but I'd be
interested in everyone else's thoughts.
Reasons for providing these functions:
- there are way too many (often incomplete) implementations of the escaping
- it should be a platform provided service
Reasons for not providing these functions:
- EL is far from the only place where the escaping is required
- EL shouldn't be required in order to provide output escaping
- Slightly higher up the stack (JSP spec?) seems a more natural place
Mark