pukkaone / webappenhance

Java web application enhancements library. Compile JSPs on startup. Escape JSP EL values to prevent cross-site scripting.
34 stars 10 forks source link

Java Web Application Enhancements Library

Utility library for Java web applications

Add library to your project

Add this Maven dependency:

<dependency>
  <groupId>com.github.pukkaone</groupId>
  <artifactId>webappenhance</artifactId>
  <version>1.0.1</version>
</dependency>

Compile JSPs on startup

In the web.xml file, add a listener:

<listener>
  <listener-class>com.github.pukkaone.jsp.JspCompileListener</listener-class>
</listener> 

Escape JSP EL values to prevent cross-site scripting

In the web.xml file, add a listener:

<listener>
  <listener-class>com.github.pukkaone.jsp.EscapeXmlELResolverListener</listener-class>
</listener> 

Disable escaping

Use a custom tag to surround JSP code in which EL values should not be escaped:

<%@ taglib prefix="enhance" uri="http://pukkaone.github.com/jsp" %>

<enhance:out escapeXml="false">
  I hope this expression returns safe HTML: ${user.name}
</enhance:out>

Read model data in Jersey MVC JSP templates without "it."

Jersey's MVC framework exposes the model object to the JSP template as a request attribute named "it". To read the model data, a JSP template must evaluate an EL expression reading a property of this object, for example, ${it.propertyName}. This custom EL resolver exposes model properties as implicit objects, allowing a JSP template to read a model property with an EL expression like ${propertyName}.

In the web.xml file, add a listener:

<listener>
  <listener-class>com.github.pukkaone.jsp.ViewableModelELResolverListener</listener-class>
</listener>