jmanico
commented
2 years ago cc @jeremylong cc @kwwall help?
Closed naftolib closed 1 month ago
jmanico
commented
2 years ago cc @jeremylong cc @kwwall help?
jeremylong
commented
2 years ago @naftolib We would need a little more information about your project to help - as you appear to be using the exact same syntax that was tested and is documented: https://github.com/OWASP/owasp-java-encoder/blob/main/jsp/src/site/markdown/index.md#jsp-usage
If you are using EL - I would avoid using the tags and just use: ${e:forHtml(param.value)}
naftolib
commented
2 years ago I have tried this syntax as well ${e:forHtml(param.value)} but had the same issue. I managed to create my own tag around as a wrapper to the owasp-tag and using apache ExpressionUtil was able to get the expressions evaluated. If indeed EL was tested and works for you that it's most probably our project setup which is causing the issue. Unfortunately I can not share any project specific details publicly. Thanks for your research
jeremylong
commented
1 month ago I have again verified that the tags are working as expected. I've even attempted to add a selenium test in PR #75 that will test to ensure things are working as expected. While I've manually tested this, I still have issues with the selenium test containers. However, see:
As such, I'm closing this issue.
Hi. I would like to report an issue that when using the encoder with jsp tags it works perfectly only when using static content like this:
<e:forHtml value="</script>"but not when using EL like this:<e:forHtml value="${param.id}"\>. When using EL, the expression isn't being evaluated but rather gets printed as is on the screen. There might be something wrong with my web.xml and would need additional configs to make it work, or there might be something with the tags that they do not support EL. Please look into it.Thanks a lot