I have implemented a custom JspWriter and registered it for use by our
JSPs using the approach described here:
https://stackoverflow.com/questions/29508245/jsp-using-a-delegate-for-out-jspwriter-with-jsp-includes-to-change-the-beh
I created a custom JspFactory that returns a custom JspContext that
returns my custom JspWriter. I then replaced the standard JspFactory by
calling JspFactory.setDefaultFactory(). This works, though it results in
some undesired behavior. I also note that the setDefaultFactory()
JavaDoc seems to claim that my approach is "illegal".
So, is there a preferred way for my web application to provide a custom
JspWriter for my JSPs to use?
(If you're curious, our JspWriter HTML encodes all strings that aren't
designated as safe-to-render, like React and other modern JavaScript
frameworks do. The usual JSP approach is too susceptible to XSS
vulnerabilities, IMO.)
Thanks,
Adam
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
