jsr341-experts@el-spec.java.net

[jsr341-experts] Re: JSR341 Feature List

From: Kin-man Chung <kinman.chung_at_oracle.com>
Date: Mon, 22 Aug 2011 10:35:28 -0700

On 08/22/11 03:32, Mark Thomas wrote:
> On 19/08/2011 00:40, Kin-man Chung wrote:
>
>> I've compiled a list of features that we plan to do for this JSR. See
>> the wiki
>>
>> http://java.net/projects/el-spec/pages/FeatureList
>>
>> The items in the list are grouped under 4 priorities, in no particular
>> order.
>>
>> I still need to over the bugs in JSP and UEL to add feature requests or
>> bug reports to the list.
>>
>> Please feel free to arrange the list or add to it.
>>
> If others agree, I'd like to see String concatenation and cache control
> bumped up the priority list.
>
>
Yea, I'll bump up both to the YES list. I'll work on the details and
present a proposal this week.

I haven't given too much thought to cache control yet, but this seem
like a difficult problem. My original thinking is to borrow ideas from
garbage collection and just have methods for mark and release to manage
cache. No idea if that can be implemented efficiently, since we'll need
to maintain the cache on a per thread basis. If any of you have better
ideas, please let me know, but I'll put this on a side burner, and I
won't be able to come up with a proposal soon.

> Other than that, it looks good to me.
>
> One additional feature request I have seen is for context sensitive
> encoding of output (i.e. HTML encoded, Javascript encoded, CSS encoded
> etc.) to ensure that the output of the EL is safe to use (e.g. no XSS).
>
>
It would help if you can list the possible escaping schemes that you
think may be useful. For instance, I know there are requests for XML
encodings. Are there others?

> I am not at all sure EL is the right place to implement this but I'd be
> interested in everyone else's thoughts.
> Reasons for providing these functions:
> - there are way too many (often incomplete) implementations of the escaping
> - it should be a platform provided service
> Reasons for not providing these functions:
> - EL is far from the only place where the escaping is required
> - EL shouldn't be required in order to provide output escaping
> - Slightly higher up the stack (JSP spec?) seems a more natural place
>
>
I don't think we should hard code the various escape sequences in EL
itself. However, we may be able to provide a filtering function in EL
so that applications can apply a filter to the EL outputs. We'll need
to support CDI to allow interceptions before and after expression
evaluations. Maybe we can combine the two somehow.

Kin-man
> Mark
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.