On 12/09/2020 00:30, Adam Rauch wrote: > I have implemented a custom JspWriter and registered it for use by our > JSPs using the approach described here: > https://stackoverflow.com/questions/29508245/jsp-using-a-delegate-for-out-jspwriter-with-jsp-includes-to-change-the-beh > > > I created a custom JspFactory that returns a custom JspContext that > returns my custom JspWriter. I then replaced the standard JspFactory by > calling JspFactory.setDefaultFactory(). This works, though it results in > some undesired behavior. I also note that the setDefaultFactory() > JavaDoc seems to claim that my approach is "illegal". > > So, is there a preferred way for my web application to provide a custom > JspWriter for my JSPs to use?
How about using an include-prelude mapped to all JSPs to wrap the default JspWriter with the custom writer? Mark > (If you're curious, our JspWriter HTML encodes all strings that aren't > designated as safe-to-render, like React and other modern JavaScript > frameworks do. The usual JSP approach is too susceptible to XSS > vulnerabilities, IMO.) > > Thanks, > Adam > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
