Jason Pettiss wrote:
Inline JSP2:${fn:escapeXml(blah)}That does however and in the cases you'd be worried about xml-escapage isn't all that irritating. It does mean you have to worry though.
Yes, I know... and I often use my own escapeXml which translates CRs to <br/>. However, the irritation comes from worrying about the half-dozen people on my team, including creative-types that might not understand all the repercussions of missing an escape. One mistake and instant cross-site-scripting vulnerability. The default of not-escaping was really dumb in JSP, which is designed to be a web-language (unlike velocity, which tries to tread some sort of neutral path).
Whoever made this decision in JSP chose the opposite of fail-safe. If someone makes a mistake now, a non-obvious XSS vulnerability is introduced. If the case were reverted, a mistake would simply result in a fairly obvious, non-hazardous display error. Dumb dumb dumb.
Jeff --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
