Skip to main content

Re: [webtier] EL output filtering in JSP

1 reply [Last post]
Anonymous

I recommend making or using a custom output component like those provided by JSF.

Escape defaults to true

Lincoln
http://ocpsoft.com

------Original Message------
From: webtier@javadesktop.org
To: webtier@glassfish.dev.java.net
ReplyTo: webtier@glassfish.dev.java.net
Subject: [webtier] EL output filtering in JSP
Sent: May 11, 2009 11:05

Hi,

I'm working on a JSP application (non-JSF) and I'd like to do some output filtering on every variable that is used in the JSP pages. The reason for this is security, I want to prevent cross site scripting.

We're using a home brewn MVC framework which looks a bit like Struts, so I have plenty of options regarding logic placement.

The control flow is very simple, all logic is put into Java controllers, which are executed. The controllers return the model back to the page. The framework does this by calling request.setAttribute() for each model variable. So far, so good.

The problem is, not every model variable is a simple string. For example, we pass complete domain objects (Client, Transaction, Account) back to the JSP and the JSP then walks over the object graphs.

SO, in the JSP, we have expressions like the following:
${client.firstName}
${param.id}
${message}
${a.name}
...

What I'd like to do, is having a hook which is called when the complete expression is evaluated. In that hook, I check if the type is a String. If so, I do some HTML escaping.

But the problem is, I don't have a place to put this code. I've looked at ELResolvers, but it looks like they work a bit different.

I'm using JBoss EAP 4.3, so Tomcat 6 as the Servlet container.

Does anyone have an idea?
[Message sent by forum member 'jkva' (jkva)]

http://forums.java.net/jive/thread.jspa?messageID=345803

---------------------------------------------------------------------
To unsubscribe, e-mail: webtier-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: webtier-help@glassfish.dev.java.net

Sent from my Verizon Wireless BlackBerry

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
jkva
Offline
Joined: 2005-04-06

Well, since it's an online financial system, I'd wanted to create something more generic. To make sure security is "turned on" by default.

I don't want to expect maintainers to have to think about security too much when they are modifying pages. After all, security bugs are easy to create and hard to find.