RE: EL Mystery
Paul,
Thank you very much. That solved the problem. We moved to 2.4 and EL works the
way I had hoped. We were referencing 2.2.
Thanks,
Kurt
--
Kurt Williams
[EMAIL PROTECTED]
> Kurt,
>
> JSP 2.0 containers have EL turned off implicitly if you are not using the
> Servlet 2.4 spec. Check the top of your web.xml file -- if you see it is
> referencing the 2.3 DTD, you need to change it the 2.4 schema.
>
> Thanks,
> Paul
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, March 23, 2005 2:39 PM
> To: user@struts.apache.org
> Subject: EL Mystery
>
>
> I have been trying to solve a mystery concerning EL.
>
> We are using 4 taglibs in our project:
>
> <%-- JSTL tag libs --%>
> <%@ taglib prefix="fmt" uri="/WEB-INF/fmt.tld" %>
> <%@ taglib prefix="c" uri="/WEB-INF/c.tld" %>
>
> <%-- Struts provided Taglibs --%>
> <%@ taglib prefix="html" uri="/WEB-INF/struts-html-el.tld" %>
> <%@ taglib prefix="logic" uri="/WEB-INF/struts-logic-el.tld" %>
>
> They are working fine and respond to EL included in their tags.
>
> However, if we try to use EL outside of a tag it simply renders the EL into
> the HTML.
>
> ${login.fullName} appears as ${login.fullName} on the rendered page.
>
> renders as the user full name.
>
> In trying to track down why the naked EL won't work I added
> isELIgnored="false" to the page directive for the page and if we are not
> using any tags with EL in them it works. The naked EL will render what we
> are expecting. But as soon as we have a tag with EL in a value or other
> attribute the page will error on compile.
>
> I'm confused because I thought EL was active by default and it does work in
> our tags but not outside of any tags. Once we place the isELIgnored="false"
> in the page directive the EL works outside of the tags but fails when used
> inside some of the tags.
>
> Can some one shed some light on this mystery? Also I have heard that using
> EL outside of tags can be a security problem and that it is better to use a
> instead.
>
> Thanks,
> Kurt
>
> --
> Kurt Williams
> Marex Services
> [EMAIL PROTECTED]
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
>
>
> --
> Notice: This e-mail message, together with any attachments, contains
> information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station, New
> Jersey, USA 08889), and/or its affiliates (which may be known outside the
> United
> States as Merck Frosst, Merck Sharp & Dohme or MSD and in Japan, as Banyu)
> that
> may be confidential, proprietary copyrighted and/or legally privileged. It is
> intended solely for the use of the individual or entity named on this
> message.
> If you are not the intended recipient, and have received this message in
> error,
> please notify us immediately by reply e-mail and then delete it from your
> system.
> --
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: EL Mystery
hmm, having said that, it might be weird if the default behaviour was
to filter.
eg comparing
"${company.name} is cool"
and
"${company.name} is cool"
${companyName}
would have the second one filtered twice.
It might be possible to only filter when not inside a tag. But that
might then look inconsistant. bah.
Jason Lea wrote:
The default for bean:write and c:out is to filter the content. Both
can have filtering turned off if you wish.
Shame the ${} notation filter by default :(
I didn't notice that in the documentation and assumed I could replace
all my c:out's with ${} which is nicer to write. Would be nice if they
changed this behaviour in the next version.
--
Jason Lea
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.8.1 - Release Date: 2005.03.23
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: EL Mystery
Or try escaping the
true of false depending
hope that helps...
On Wed, 23 Mar 2005 15:56:02 -0500, Jeff Beal <[EMAIL PROTECTED]> wrote:
> On Wed, 23 Mar 2005 19:38:39 +, [EMAIL PROTECTED]
> <[EMAIL PROTECTED]> wrote:
>
> > Can some one shed some light on this mystery? Also I have heard that using
> > EL outside of tags can be a security problem and that it is better to use a
> > instead.
>
> The security part of this was mentioned on the list sometime in the
> last couple of weeks. The tags will escape any
> HTML-sensitive characters, but the straight EL language does not. So,
> let's say that your variable 'EL' that you were using is a String:
> ""
>
> would print:
> and the user would
> just see the characters -- no harm done.
>
> ${EL} would just print the String, and whatever script is included in
> 'nastybad.js' would be executed on the end-user's machine.
>
> If you are confident that the contents of your EL variable couldn't
> possibly have any harmful HTML in them, go ahead and use ${EL}.
>
> --
> Jeff Beal
> Webmedx, Inc.
> Pittsburgh, PA USA
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: EL Mystery
The default for bean:write and c:out is to filter the content. Both
can have filtering turned off if you wish.
Shame the ${} notation filter by default :(
I didn't notice that in the documentation and assumed I could replace
all my c:out's with ${} which is nicer to write. Would be nice if they
changed this behaviour in the next version.
Leon Rosenberg wrote:
So, it's as much of security risk as bean:write? I mean you could turn the
filter off and get the same effect?
Leon
Von: Jeff Beal [mailto:[EMAIL PROTECTED]]
Gesendet: Mittwoch, 23. März 2005 21:56
An: Struts Users Mailing List
Betreff: Re: EL Mystery
On Wed, 23 Mar 2005 19:38:39 +,
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Can some one shed some light on this mystery? Also I have
heard that using EL outside of tags can be a security problem
and that it is better to use a instead.
The security part of this was mentioned on the list sometime
in the last couple of weeks. The tags will escape
any HTML-sensitive characters, but the straight EL language
does not. So, let's say that your variable 'EL' that you
were using is a String:
" would print:
<script language="_javascript_"
href="" and the user
would just see the characters -- no harm done.
${EL} would just print the String, and whatever script is
included in 'nastybad.js' would be executed on the end-user's machine.
If you are confident that the contents of your EL variable
couldn't possibly have any harmful HTML in them, go ahead and
use ${EL}.
--
Jeff Beal
Webmedx, Inc.
Pittsburgh, PA USA
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Jason Lea
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.8.1 - Release Date: 2005.03.23
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: EL Mystery
So, it's as much of security risk as bean:write? I mean you could turn the
filter off and get the same effect?
Leon
> Von: Jeff Beal [mailto:[EMAIL PROTECTED]
> Gesendet: Mittwoch, 23. März 2005 21:56
> An: Struts Users Mailing List
> Betreff: Re: EL Mystery
>
> On Wed, 23 Mar 2005 19:38:39 +,
> [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> > Can some one shed some light on this mystery? Also I have
> heard that using EL outside of tags can be a security problem
> and that it is better to use a instead.
>
> The security part of this was mentioned on the list sometime
> in the last couple of weeks. The tags will escape
> any HTML-sensitive characters, but the straight EL language
> does not. So, let's say that your variable 'EL' that you
> were using is a String:
> ""
>
> would print:
> <script language="JavaScript"
> href="nastybad.js"></script> and the user
> would just see the characters -- no harm done.
>
> ${EL} would just print the String, and whatever script is
> included in 'nastybad.js' would be executed on the end-user's machine.
>
> If you are confident that the contents of your EL variable
> couldn't possibly have any harmful HTML in them, go ahead and
> use ${EL}.
>
> --
> Jeff Beal
> Webmedx, Inc.
> Pittsburgh, PA USA
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: EL Mystery
So, it's as much of security risk as bean:write? I mean you could turn the
filter off and get the same effect?
Leon
> Von: Jeff Beal [mailto:[EMAIL PROTECTED]
> Gesendet: Mittwoch, 23. März 2005 21:56
> An: Struts Users Mailing List
> Betreff: Re: EL Mystery
>
> On Wed, 23 Mar 2005 19:38:39 +,
> [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> > Can some one shed some light on this mystery? Also I have
> heard that using EL outside of tags can be a security problem
> and that it is better to use a instead.
>
> The security part of this was mentioned on the list sometime
> in the last couple of weeks. The tags will escape
> any HTML-sensitive characters, but the straight EL language
> does not. So, let's say that your variable 'EL' that you
> were using is a String:
> ""
>
> would print:
> <script language="JavaScript"
> href="nastybad.js"></script> and the user
> would just see the characters -- no harm done.
>
> ${EL} would just print the String, and whatever script is
> included in 'nastybad.js' would be executed on the end-user's machine.
>
> If you are confident that the contents of your EL variable
> couldn't possibly have any harmful HTML in them, go ahead and
> use ${EL}.
>
> --
> Jeff Beal
> Webmedx, Inc.
> Pittsburgh, PA USA
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: EL Mystery
On Wed, 23 Mar 2005 19:38:39 +, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
> Can some one shed some light on this mystery? Also I have heard that using EL
> outside of tags can be a security problem and that it is better to use a
> instead.
The security part of this was mentioned on the list sometime in the
last couple of weeks. The tags will escape any
HTML-sensitive characters, but the straight EL language does not. So,
let's say that your variable 'EL' that you were using is a String:
""
would print:
and the user would
just see the characters -- no harm done.
${EL} would just print the String, and whatever script is included in
'nastybad.js' would be executed on the end-user's machine.
If you are confident that the contents of your EL variable couldn't
possibly have any harmful HTML in them, go ahead and use ${EL}.
--
Jeff Beal
Webmedx, Inc.
Pittsburgh, PA USA
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: EL Mystery
Kurt,
JSP 2.0 containers have EL turned off implicitly if you are not using the
Servlet 2.4 spec. Check the top of your web.xml file -- if you see it is
referencing the 2.3 DTD, you need to change it the 2.4 schema.
Thanks,
Paul
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 23, 2005 2:39 PM
To: user@struts.apache.org
Subject: EL Mystery
I have been trying to solve a mystery concerning EL.
We are using 4 taglibs in our project:
<%-- JSTL tag libs --%>
<%@ taglib prefix="fmt" uri="/WEB-INF/fmt.tld" %>
<%@ taglib prefix="c" uri="/WEB-INF/c.tld" %>
<%-- Struts provided Taglibs --%>
<%@ taglib prefix="html" uri="/WEB-INF/struts-html-el.tld" %>
<%@ taglib prefix="logic" uri="/WEB-INF/struts-logic-el.tld" %>
They are working fine and respond to EL included in their tags.
However, if we try to use EL outside of a tag it simply renders the EL into
the HTML.
${login.fullName} appears as ${login.fullName} on the rendered page.
renders as the user full name.
In trying to track down why the naked EL won't work I added
isELIgnored="false" to the page directive for the page and if we are not
using any tags with EL in them it works. The naked EL will render what we
are expecting. But as soon as we have a tag with EL in a value or other
attribute the page will error on compile.
I'm confused because I thought EL was active by default and it does work in
our tags but not outside of any tags. Once we place the isELIgnored="false"
in the page directive the EL works outside of the tags but fails when used
inside some of the tags.
Can some one shed some light on this mystery? Also I have heard that using
EL outside of tags can be a security problem and that it is better to use a
instead.
Thanks,
Kurt
--
Kurt Williams
Marex Services
[EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Notice: This e-mail message, together with any attachments, contains
information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station, New
Jersey, USA 08889), and/or its affiliates (which may be known outside the
United States as Merck Frosst, Merck Sharp & Dohme or MSD and in Japan, as
Banyu) that may be confidential, proprietary copyrighted and/or legally
privileged. It is intended solely for the use of the individual or entity named
on this message. If you are not the intended recipient, and have received this
message in error, please notify us immediately by reply e-mail and then delete
it from your system.
--
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
