Benx Blog

九月 21, 2007

Diigo Diary 09/21/2007

Filed under: Diigo Diary — benxshen @ 8:34 上午

Raible Designs | Proposed Tomcat Enhancement: Add flag to escape JSP’s EL by default  Annotated

Hello all,

I’m working for a client that’s using a proprietary Servlet/JSP-based framework that runs on Tomcat. They have their own custom JSP compiler and they’re looking to move to a standard JSP compiler. One of the things their compiler supports is automatic escaping of XML in expressions. For example, ${foo} would be escaped so <body> -> &lt;body&gt;. JSP EL does not do this. It *doesn’t* escape by default and instead requires you to wrap your expressions with <c:out/> if you want escaping.

I’d like to ask what developers think about adding a flag (similar to trimSpaces in conf/web.xml) that allows users to change the escaping behavior from false to true?

I think this is a good option to have as it allows security-conscious organizations to paranoid and escape all content by default.



    Google Trends: jquery, yahoo ui

    發表迴響 »


    RSS feed for comments on this post. TrackBack URI


    在下方填入你的資料或按右方圖示以社群網站登入: Logo

    您的留言將使用 帳號。 登出 /  變更 )

    Google+ photo

    您的留言將使用 Google+ 帳號。 登出 /  變更 )

    Twitter picture

    您的留言將使用 Twitter 帳號。 登出 /  變更 )


    您的留言將使用 Facebook 帳號。 登出 /  變更 )


    連結到 %s

    在 建立免費網站或網誌.

    %d 位部落客按了讚: