Hi,
I'm working on a JSP application (non-JSF) and I'd like to do some output filtering on every variable that is used in the JSP pages. The reason for this is security, I want to prevent cross site scripting.
We're using a home brewn MVC framework which looks a bit like Struts, so I have plenty of options regarding logic placement.
The control flow is very simple, all logic is put into Java controllers, which are executed. The controllers return the model back to the page. The framework does this by calling request.setAttribute() for each model variable. So far, so good.
The problem is, not every model variable is a simple string. For example, we pass complete domain objects (Client, Transaction, Account) back to the JSP and the JSP then walks over the object graphs.
SO, in the JSP, we have expressions like the following:
${client.firstName}
${param.id}
${message}
<c:forEach var="a" value="${accounts}">${a.name}</c:forEach>
<c:if test="${someBoolean}">...</c:if>
What I'd like to do, is having a hook which is called when the complete expression is evaluated. In that hook, I check if the type is a String. If so, I do some HTML escaping.
But the problem is, I don't have a place to put this code. I've looked at ELResolvers, but it looks like they work a bit different.
I'm using JBoss EAP 4.3, so Tomcat 6 as the Servlet container.
Does anyone have an idea?
[Message sent by forum member 'jkva' (jkva)]
http://forums.java.net/jive/thread.jspa?messageID=345803