Hi On master we shifted from openejb-jstl to taglibs-standard-jstlel. I have done the same on the 1.7.x branch, specifically to move on from the old openejb-jstl (looking at https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The taglibs-standard-jstlel library does seem to depend on xalan, which we currently do not include in TomEE.
The impact is that some XML functions in JSP code does not work, for example: <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml"; %> <x:parse var="movies"> <movies> <movie id="1" name="Wedding Crashers" director="David Dobkin" genre="Comedy" rating="7" year="2005" /> <movie id="2" name="Starsky & Hutch" director="Todd Phillips" genre="Action" rating="6" year="2004" /> <movie id="3" name="Shanghai Knights" director="David Dobkin" genre="Action" rating="6" year="2003" /> <movie id="4" name="I-Spy" director="Betty Thomas" genre="Adventure" rating="5" year="2002" /> <movie id="5" name="The Royal Tenenbaums" director="Wes Anderson" genre="Comedy" rating="8" year="2001" /> <movie id="6" name="Zoolander" director="Ben Stiller" genre="Comedy" rating="6" year="2001" /> <movie id="7" name="Shanghai Noon" director="Tom Dey" genre="Comedy" rating="7" year="2000" /> </movies> </x:parse> Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre" /><br /> fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath (this on both 1.7.x and master) Including Xalan does fix this, but its a 3MB dependency. The alternative is to use org.glassfish.web:javax.servlet.jsp.jstl instead, which I have tested and seems to work. Anyone have any thoughts? Jon
