Make ${} operator XSS safe in Struts 2 (same as tapestry)

by
  1. Struts2 <s:property value="name" /> is automatically escaped by default;
  2. JSTL <c:out value="${name}" /> is automatically escaped by default;
  3. JSP EL ${name} is NOT escaped.

You can explicitly escape it with ${fn:escapeXml(name)} , or set the escape to be performed by default creating a custom ELResolver as described in this great article:

More Related Contents:

  1. how to compare list elements(type string) and string(in request scope) using struts 2 tags
  2. How to install JSTL? The absolute uri: http://java.sun.com/jstl/core cannot be resolved
  3. javax.el.PropertyNotFoundException: Property ‘foo’ not found on type com.example.Bean
  4. Collect and save submitted values of multiple dynamic HTML inputs back in servlet
  5. Evaluate empty or null JSTL c tags
  6. How to compare two object variables in EL expression language?
  7. How to access objects in EL expression language ${}
  8. There is no Action mapped for namespace [/] and action name [login] associated with context path [/Struts2Test]
  9. Upload multiple files at once to a Struts2 @Action
  10. javax.servlet.ServletException: javax.servlet.jsp.JspTagException: Don’t know how to iterate over supplied “items” in
  11. How to concatenate a String in EL?
  12. Calculate total sum of all numbers in c:forEach loop
  13. How to call parameterized method from JSP using JSTL/EL
  14. How to nest an EL expression in another EL expression
  15. if…else within JSP or JSTL
  16. How to use if-else option in JSTL
  17. c:forEach throws javax.el.PropertyNotFoundException: Property ‘foo’ not found on type java.lang.String
  18. Enabling JavaServerPages Standard Tag Library (JSTL) in JSP
  19. Adding external resources (CSS/JavaScript/images etc) in JSP
  20. JSTL tags on JSP page do not work and appear plain in HTML page source
  21. Check a collection size with JSTL
  22. java.lang.NoClassDefFoundError: javax/servlet/jsp/tagext/TagLibraryValidator
  23. How to install JSTL? The absolute uri: http://java.sun.com/jsp/jstl/core cannot be resolved [duplicate]
  24. How to access at request attributes in JSP?
  25. Passing parameters to action through ModelDriven in Struts 2
  26. Selected value for JSP drop down using JSTL
  27. What’s the difference between # , % and $ signs in Struts tags?
  28. Struts 2 dynamic variables
  29. Unicode characters in servlet application are shown as question marks
  30. Passing parameters to another JSP file using tag

Leave a Comment