search

pukkaone / webappenhance

Java web application enhancements library. Compile JSPs on startup. Escape JSP EL values to prevent cross-site scripting.
34 stars 10 forks source link

Multiple escaping when passing variables #3

Open mikeya opened 9 years ago

mikeya commented 9 years ago

It'd be nice to figure out a pattern that doesn't cause for multiple escaping. For example:

<c:set var='testEscapingVar' value='<script>alert(\"boo\");</script>"'/>
<c:set var='testEscapingVar' value='${testEscapingVar}'/>
<c:set var='testEscapingVar' value='${testEscapingVar}'/>

${testEscapingVar}

causes: &amp;lt;script&amp;gt;alert(&amp;#034;boo&amp;#034;);&amp;lt;/script&amp;gt;&amp;#034;

any thoughts?

pukkaone commented 9 years ago

You can disable escaping for all of the variable references except for one:

<%@ taglib prefix="enhance" uri="http://pukkaone.github.com/jsp" %>

<enhance:out escapeXml="false">
  <c:set var='testEscapingVar' value='<script>alert(\"boo\");</script>"'/>
  <c:set var='testEscapingVar' value='${testEscapingVar}'/>
</enhance:out>
<c:set var='testEscapingVar' value='${testEscapingVar}'/>

${testEscapingVar}
mikeya commented 9 years ago

I understand, but what if we're passing around variables through jsps/jspfs, I'd really like to avoid tagging a bunch of places with <enhance:out escapeXml="false"></enhance:out>

pukkaone commented 9 years ago

The pattern I suggest is make a JSP a passive view in which it does not implement any presentation logic where it sets a variable. The JSP only reads variables.

AlexByte commented 7 years ago

Why do you need to escape manually if it automatically escapes?

pukkaone commented 7 years ago

With EscapeXmlELResolverListener registered, the values from all JSP variable references will be escaped. Sometimes you don't want the values escaped. The tag <enhance:out escapeXml="false"> disables escaping.

AlexByte commented 7 years ago

I know it. Its the question to the author of the issue.