On 9/14/2020 6:19 AM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Adam,
On 9/11/20 19:30, Adam Rauch wrote:
I have implemented a custom JspWriter and registered it for use by
our JSPs using the approach described here:
https://stackoverflow.com/questions/29508245/jsp-using-a-delegate-for-
out-jspwriter-with-jsp-includes-to-change-the-beh
I created a custom JspFactory that returns a custom JspContext
that returns my custom JspWriter. I then replaced the standard
JspFactory by calling JspFactory.setDefaultFactory(). This works,
though it results in some undesired behavior. I also note that the
setDefaultFactory() JavaDoc seems to claim that my approach is
"illegal".
So, is there a preferred way for my web application to provide a
custom JspWriter for my JSPs to use?
(If you're curious, our JspWriter HTML encodes all strings that
aren't designated as safe-to-render, like React and other modern
JavaScript frameworks do. The usual JSP approach is too susceptible
to XSS vulnerabilities, IMO.)
Really?
Seems like <c:out value="{stuff}" /> should work just fine. You prefer
this?
<%= myVar %>
How do you mark variables as being "HTML-safe"?
If you don't trust your JSP programmers to do this correctly, maybe
JSP isn't the right technology for your team. (I happen to think that
JSP needs to go away, but that's just me).
- -chris
Thanks, Chris. I don't particularly love JSPs either, and we target
React for most UI work these days, but we maintain a large system that
includes ~1,000 existing JSPs. We also have many third party developers
building their own code on our platform and we like the system to
enforce best practices as much as possible. Our JSP base class makes it
trivial to encode Strings (<%=h(myString)%>); the challenge is
distinguishing Strings that contain well-formed HTML (produced by helper
methods or commonly used builders) from those that don't. We have
introduced a SafeToRender interface to mark Objects that are allowed to
render themselves without encoding (i.e., their toString() must render
well-formed HTML or JavaScript). HtmlString and JavaScriptFragment are
String wrappers that implement SafeToRender, and are used to safely
build ad hoc content. Likewise, builders for common HTML elements and
JSON. While I trust my developers, this approach allows for
straightforward verification and security auditing.
Adam
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
