RE: EL Mystery
Paul, Thank you very much. That solved the problem. We moved to 2.4 and EL works the way I had hoped. We were referencing 2.2. Thanks, Kurt -- Kurt Williams [EMAIL PROTECTED] > Kurt, > > JSP 2.0 containers have EL turned off implicitly if you are not using the > Servlet 2.4 spec. Check the top of your web.xml file -- if you see it is > referencing the 2.3 DTD, you need to change it the 2.4 schema. > > Thanks, > Paul > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 23, 2005 2:39 PM > To: user@struts.apache.org > Subject: EL Mystery > > > I have been trying to solve a mystery concerning EL. > > We are using 4 taglibs in our project: > > <%-- JSTL tag libs --%> > <%@ taglib prefix="fmt" uri="/WEB-INF/fmt.tld" %> > <%@ taglib prefix="c" uri="/WEB-INF/c.tld" %> > > <%-- Struts provided Taglibs --%> > <%@ taglib prefix="html" uri="/WEB-INF/struts-html-el.tld" %> > <%@ taglib prefix="logic" uri="/WEB-INF/struts-logic-el.tld" %> > > They are working fine and respond to EL included in their tags. > > However, if we try to use EL outside of a tag it simply renders the EL into > the HTML. > > ${login.fullName} appears as ${login.fullName} on the rendered page. > > renders as the user full name. > > In trying to track down why the naked EL won't work I added > isELIgnored="false" to the page directive for the page and if we are not > using any tags with EL in them it works. The naked EL will render what we > are expecting. But as soon as we have a tag with EL in a value or other > attribute the page will error on compile. > > I'm confused because I thought EL was active by default and it does work in > our tags but not outside of any tags. Once we place the isELIgnored="false" > in the page directive the EL works outside of the tags but fails when used > inside some of the tags. > > Can some one shed some light on this mystery? Also I have heard that using > EL outside of tags can be a security problem and that it is better to use a > instead. > > Thanks, > Kurt > > -- > Kurt Williams > Marex Services > [EMAIL PROTECTED] > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > -- > Notice: This e-mail message, together with any attachments, contains > information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station, New > Jersey, USA 08889), and/or its affiliates (which may be known outside the > United > States as Merck Frosst, Merck Sharp & Dohme or MSD and in Japan, as Banyu) > that > may be confidential, proprietary copyrighted and/or legally privileged. It is > intended solely for the use of the individual or entity named on this > message. > If you are not the intended recipient, and have received this message in > error, > please notify us immediately by reply e-mail and then delete it from your > system. > -- > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: EL Mystery
hmm, having said that, it might be weird if the default behaviour was to filter. eg comparing "${company.name} is cool" and "${company.name} is cool" ${companyName} would have the second one filtered twice. It might be possible to only filter when not inside a tag. But that might then look inconsistant. bah. Jason Lea wrote: The default for bean:write and c:out is to filter the content. Both can have filtering turned off if you wish. Shame the ${} notation filter by default :( I didn't notice that in the documentation and assumed I could replace all my c:out's with ${} which is nicer to write. Would be nice if they changed this behaviour in the next version. -- Jason Lea No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.8.1 - Release Date: 2005.03.23 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: EL Mystery
Or try escaping the true of false depending hope that helps... On Wed, 23 Mar 2005 15:56:02 -0500, Jeff Beal <[EMAIL PROTECTED]> wrote: > On Wed, 23 Mar 2005 19:38:39 +, [EMAIL PROTECTED] > <[EMAIL PROTECTED]> wrote: > > > Can some one shed some light on this mystery? Also I have heard that using > > EL outside of tags can be a security problem and that it is better to use a > > instead. > > The security part of this was mentioned on the list sometime in the > last couple of weeks. The tags will escape any > HTML-sensitive characters, but the straight EL language does not. So, > let's say that your variable 'EL' that you were using is a String: > "" > > would print: > and the user would > just see the characters -- no harm done. > > ${EL} would just print the String, and whatever script is included in > 'nastybad.js' would be executed on the end-user's machine. > > If you are confident that the contents of your EL variable couldn't > possibly have any harmful HTML in them, go ahead and use ${EL}. > > -- > Jeff Beal > Webmedx, Inc. > Pittsburgh, PA USA > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: EL Mystery
The default for bean:write and c:out is to filter the content. Both can have filtering turned off if you wish. Shame the ${} notation filter by default :( I didn't notice that in the documentation and assumed I could replace all my c:out's with ${} which is nicer to write. Would be nice if they changed this behaviour in the next version. Leon Rosenberg wrote: So, it's as much of security risk as bean:write? I mean you could turn the filter off and get the same effect? Leon Von: Jeff Beal [mailto:[EMAIL PROTECTED]] Gesendet: Mittwoch, 23. März 2005 21:56 An: Struts Users Mailing List Betreff: Re: EL Mystery On Wed, 23 Mar 2005 19:38:39 +, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Can some one shed some light on this mystery? Also I have heard that using EL outside of tags can be a security problem and that it is better to use a instead. The security part of this was mentioned on the list sometime in the last couple of weeks. The tags will escape any HTML-sensitive characters, but the straight EL language does not. So, let's say that your variable 'EL' that you were using is a String: " would print: <script language="_javascript_" href="" and the user would just see the characters -- no harm done. ${EL} would just print the String, and whatever script is included in 'nastybad.js' would be executed on the end-user's machine. If you are confident that the contents of your EL variable couldn't possibly have any harmful HTML in them, go ahead and use ${EL}. -- Jeff Beal Webmedx, Inc. Pittsburgh, PA USA - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Jason Lea No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.8.1 - Release Date: 2005.03.23 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: EL Mystery
So, it's as much of security risk as bean:write? I mean you could turn the filter off and get the same effect? Leon > Von: Jeff Beal [mailto:[EMAIL PROTECTED] > Gesendet: Mittwoch, 23. März 2005 21:56 > An: Struts Users Mailing List > Betreff: Re: EL Mystery > > On Wed, 23 Mar 2005 19:38:39 +, > [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > Can some one shed some light on this mystery? Also I have > heard that using EL outside of tags can be a security problem > and that it is better to use a instead. > > The security part of this was mentioned on the list sometime > in the last couple of weeks. The tags will escape > any HTML-sensitive characters, but the straight EL language > does not. So, let's say that your variable 'EL' that you > were using is a String: > "" > > would print: > <script language="JavaScript" > href="nastybad.js"></script> and the user > would just see the characters -- no harm done. > > ${EL} would just print the String, and whatever script is > included in 'nastybad.js' would be executed on the end-user's machine. > > If you are confident that the contents of your EL variable > couldn't possibly have any harmful HTML in them, go ahead and > use ${EL}. > > -- > Jeff Beal > Webmedx, Inc. > Pittsburgh, PA USA > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: EL Mystery
So, it's as much of security risk as bean:write? I mean you could turn the filter off and get the same effect? Leon > Von: Jeff Beal [mailto:[EMAIL PROTECTED] > Gesendet: Mittwoch, 23. März 2005 21:56 > An: Struts Users Mailing List > Betreff: Re: EL Mystery > > On Wed, 23 Mar 2005 19:38:39 +, > [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > Can some one shed some light on this mystery? Also I have > heard that using EL outside of tags can be a security problem > and that it is better to use a instead. > > The security part of this was mentioned on the list sometime > in the last couple of weeks. The tags will escape > any HTML-sensitive characters, but the straight EL language > does not. So, let's say that your variable 'EL' that you > were using is a String: > "" > > would print: > <script language="JavaScript" > href="nastybad.js"></script> and the user > would just see the characters -- no harm done. > > ${EL} would just print the String, and whatever script is > included in 'nastybad.js' would be executed on the end-user's machine. > > If you are confident that the contents of your EL variable > couldn't possibly have any harmful HTML in them, go ahead and > use ${EL}. > > -- > Jeff Beal > Webmedx, Inc. > Pittsburgh, PA USA > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: EL Mystery
On Wed, 23 Mar 2005 19:38:39 +, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Can some one shed some light on this mystery? Also I have heard that using EL > outside of tags can be a security problem and that it is better to use a > instead. The security part of this was mentioned on the list sometime in the last couple of weeks. The tags will escape any HTML-sensitive characters, but the straight EL language does not. So, let's say that your variable 'EL' that you were using is a String: "" would print: and the user would just see the characters -- no harm done. ${EL} would just print the String, and whatever script is included in 'nastybad.js' would be executed on the end-user's machine. If you are confident that the contents of your EL variable couldn't possibly have any harmful HTML in them, go ahead and use ${EL}. -- Jeff Beal Webmedx, Inc. Pittsburgh, PA USA - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: EL Mystery
Kurt, JSP 2.0 containers have EL turned off implicitly if you are not using the Servlet 2.4 spec. Check the top of your web.xml file -- if you see it is referencing the 2.3 DTD, you need to change it the 2.4 schema. Thanks, Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 2:39 PM To: user@struts.apache.org Subject: EL Mystery I have been trying to solve a mystery concerning EL. We are using 4 taglibs in our project: <%-- JSTL tag libs --%> <%@ taglib prefix="fmt" uri="/WEB-INF/fmt.tld" %> <%@ taglib prefix="c" uri="/WEB-INF/c.tld" %> <%-- Struts provided Taglibs --%> <%@ taglib prefix="html" uri="/WEB-INF/struts-html-el.tld" %> <%@ taglib prefix="logic" uri="/WEB-INF/struts-logic-el.tld" %> They are working fine and respond to EL included in their tags. However, if we try to use EL outside of a tag it simply renders the EL into the HTML. ${login.fullName} appears as ${login.fullName} on the rendered page. renders as the user full name. In trying to track down why the naked EL won't work I added isELIgnored="false" to the page directive for the page and if we are not using any tags with EL in them it works. The naked EL will render what we are expecting. But as soon as we have a tag with EL in a value or other attribute the page will error on compile. I'm confused because I thought EL was active by default and it does work in our tags but not outside of any tags. Once we place the isELIgnored="false" in the page directive the EL works outside of the tags but fails when used inside some of the tags. Can some one shed some light on this mystery? Also I have heard that using EL outside of tags can be a security problem and that it is better to use a instead. Thanks, Kurt -- Kurt Williams Marex Services [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Notice: This e-mail message, together with any attachments, contains information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station, New Jersey, USA 08889), and/or its affiliates (which may be known outside the United States as Merck Frosst, Merck Sharp & Dohme or MSD and in Japan, as Banyu) that may be confidential, proprietary copyrighted and/or legally privileged. It is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please notify us immediately by reply e-mail and then delete it from your system. -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]