-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Adam,
On 9/11/20 19:30, Adam Rauch wrote: > I have implemented a custom JspWriter and registered it for use by > our JSPs using the approach described here: > https://stackoverflow.com/questions/29508245/jsp-using-a-delegate-for- out-jspwriter-with-jsp-includes-to-change-the-beh > > > > I created a custom JspFactory that returns a custom JspContext > that returns my custom JspWriter. I then replaced the standard > JspFactory by calling JspFactory.setDefaultFactory(). This works, > though it results in some undesired behavior. I also note that the > setDefaultFactory() JavaDoc seems to claim that my approach is > "illegal". > > So, is there a preferred way for my web application to provide a > custom JspWriter for my JSPs to use? > > (If you're curious, our JspWriter HTML encodes all strings that > aren't designated as safe-to-render, like React and other modern > JavaScript frameworks do. The usual JSP approach is too susceptible > to XSS vulnerabilities, IMO.) Really? Seems like <c:out value="{stuff}" /> should work just fine. You prefer this? <%= myVar %> How do you mark variables as being "HTML-safe"? If you don't trust your JSP programmers to do this correctly, maybe JSP isn't the right technology for your team. (I happen to think that JSP needs to go away, but that's just me). - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9fbeQACgkQHPApP6U8 pFi2gg/7BpbFf3+QXlr78ZjIHYB2C2x0+VF9mX4pKwiOmp2y6q70tWGExCOaEYId vSNYMUjL0PwsCEVZDmX4roAT+Ep2VeqR+opvRf9JU8SuVkAlgplXg7nePRPnCRq6 hlf0NgrZ6U5WM3wxvpH8uFroarTSym6T/fEjdR3Ff7AjSE7v23VUvmW5bCxQ/M/u 1hEZPXpOfCjJZRkJynu0etF1GnhgjFPsbsvW7IPFsKLKgApYPVY5uytJSGeshtU4 /l612ZHO0618vI53jP/JmOPCQrdjLTY7YNFHwh0j+QCykSYTk7rpI46JFfD/wmJ/ /JsrUH7Dy+qrmZJzh9hCF1q4ITRddhUhK5ztNYpOiOFDAr+urz+QEaeThsSohOvt k86X8Jivhn2TB4Mtb4vb/MEEvzRVC+Fjj3QXEzP4GY3SJpvTDB+wVIQq59IvH9Em +iDnLeJBWHzHx1ZS/XyUUW1ZKIvNEQ1qKXqw95uHk0mvCKsVMkHThQ71h+g7Ooc2 z/ubrBy2yxJrzhELk+oDUQwd82YdEksZ9CGgXvj+JPpdNqAWpf5C2W2Sjwv2cvTj z38bBFyk1mKC1B90KslEZjmIPCYgPFfZGV9Ro6vg7VcH/yOFIGXOvaLBh2apx4xs m6ADTFP+PBIiAJ5glrvhfJHvYpMssy68vDnThKbjfon+vE1tu1I= =zEGy -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
