webtier@glassfish.java.net

Re: [webtier] EL output filtering in JSP

From: <lincolnbaxter_at_gmail.com>
Date: Mon, 11 May 2009 15:22:43 +0000

I recommend making or using a custom output component like those provided by JSF.

<h:outputText value="${message}" escape="true">

Escape defaults to true

Lincoln
http://ocpsoft.com

------Original Message------
From: webtier_at_javadesktop.org
To: webtier_at_glassfish.dev.java.net
ReplyTo: webtier_at_glassfish.dev.java.net
Subject: [webtier] EL output filtering in JSP
Sent: May 11, 2009 11:05

Hi,

I'm working on a JSP application (non-JSF) and I'd like to do some output filtering on every variable that is used in the JSP pages. The reason for this is security, I want to prevent cross site scripting.

We're using a home brewn MVC framework which looks a bit like Struts, so I have plenty of options regarding logic placement.

The control flow is very simple, all logic is put into Java controllers, which are executed. The controllers return the model back to the page. The framework does this by calling request.setAttribute() for each model variable. So far, so good.

The problem is, not every model variable is a simple string. For example, we pass complete domain objects (Client, Transaction, Account) back to the JSP and the JSP then walks over the object graphs.

SO, in the JSP, we have expressions like the following:
${client.firstName}
${param.id}
${message}
<c:forEach var="a" value="${accounts}">${a.name}</c:forEach>
<c:if test="${someBoolean}">...</c:if>

What I'd like to do, is having a hook which is called when the complete expression is evaluated. In that hook, I check if the type is a String. If so, I do some HTML escaping.

But the problem is, I don't have a place to put this code. I've looked at ELResolvers, but it looks like they work a bit different.

I'm using JBoss EAP 4.3, so Tomcat 6 as the Servlet container.

Does anyone have an idea?
[Message sent by forum member 'jkva' (jkva)]

http://forums.java.net/jive/thread.jspa?messageID=345803

---------------------------------------------------------------------
To unsubscribe, e-mail: webtier-unsubscribe_at_glassfish.dev.java.net
For additional commands, e-mail: webtier-help_at_glassfish.dev.java.net



Sent from my Verizon Wireless BlackBerry
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.