Index: java/org/apache/jasper/JspC.java =================================================================== --- java/org/apache/jasper/JspC.java (revision 579866) +++ java/org/apache/jasper/JspC.java (working copy) @@ -115,6 +115,7 @@ protected static final String SWITCH_MAPPED = "-mapped"; protected static final String SWITCH_XPOWERED_BY = "-xpoweredBy"; protected static final String SWITCH_TRIM_SPACES = "-trimSpaces"; + protected static final String SWITCH_ESCAPE_EL = "-escapeEl"; protected static final String SWITCH_CLASSPATH = "-classpath"; protected static final String SWITCH_DIE = "-die"; protected static final String SWITCH_POOLING = "-poolingEnabled"; @@ -140,6 +141,7 @@ protected String classPath = null; protected URLClassLoader loader = null; protected boolean trimSpaces = false; + protected boolean escapeEl = false; protected boolean genStringAsCharArray = false; protected boolean xpoweredBy; protected boolean mappedFile = false; @@ -298,6 +300,8 @@ xpoweredBy = true; } else if (tok.equals(SWITCH_TRIM_SPACES)) { setTrimSpaces(true); + } else if (tok.equals(SWITCH_ESCAPE_EL)) { + setEscapeEl(true); } else if (tok.equals(SWITCH_CACHE)) { tok = nextArg(); if ("false".equals(tok)) { @@ -369,6 +373,14 @@ public void setTrimSpaces(boolean ts) { this.trimSpaces = ts; } + + public boolean getEscapeEl() { + return escapeEl; + } + + public void setEscapeEl(boolean ee) { + this.escapeEl = ee; + } public boolean isPoolingEnabled() { return poolingEnabled; Index: java/org/apache/jasper/EmbeddedServletOptions.java =================================================================== --- java/org/apache/jasper/EmbeddedServletOptions.java (revision 579866) +++ java/org/apache/jasper/EmbeddedServletOptions.java (working copy) @@ -66,6 +66,11 @@ private boolean trimSpaces = false; /** + * Should expressions be XMLEscaped by default? + */ + private boolean escapeEl = false; + + /** * Determines whether tag handler pooling is enabled. */ private boolean isPoolingEnabled = true; @@ -211,6 +216,13 @@ return trimSpaces; } + /** + * Should the rendered value of el expressions be escaped? + */ + public boolean getEscapeEl() { + return escapeEl; + } + public boolean isPoolingEnabled() { return isPoolingEnabled; } @@ -439,6 +451,19 @@ } } + String escapeEx = config.getInitParameter("escapeEl"); + if (escapeEx != null) { + if (escapeEx.equalsIgnoreCase("true")) { + escapeEl = true; + } else if (escapeEx.equalsIgnoreCase("false")) { + escapeEl = false; + } else { + if (log.isWarnEnabled()) { + log.warn(Localizer.getMessage("jsp.warning.escapeel")); + } + } + } + this.isPoolingEnabled = true; String poolingEnabledParam = config.getInitParameter("enablePooling"); Index: java/org/apache/jasper/compiler/Generator.java =================================================================== --- java/org/apache/jasper/compiler/Generator.java (revision 579866) +++ java/org/apache/jasper/compiler/Generator.java (working copy) @@ -803,9 +803,10 @@ } return v; } else if (attr.isELInterpreterInput()) { + boolean escapeEl = ctxt.getOptions().getEscapeEl(); boolean replaceESC = v.indexOf(Constants.ESC) > 0; v = JspUtil.interpreterCall(this.isTagFile, v, expectedType, - attr.getEL().getMapName(), false); + attr.getEL().getMapName(), escapeEl); // XXX ESC replacement hack if (replaceESC) { v = "(" + v + ").replace(" + Constants.ESCStr + ", '$')"; @@ -888,10 +889,11 @@ public void visit(Node.ELExpression n) throws JasperException { n.setBeginJavaLine(out.getJavaLine()); if (!pageInfo.isELIgnored() && (n.getEL() != null)) { + boolean escapeEl = ctxt.getOptions().getEscapeEl(); out.printil("out.write(" + JspUtil.interpreterCall(this.isTagFile, n.getType() + "{" + new String(n.getText()) + "}", String.class, - n.getEL().getMapName(), false) + ");"); + n.getEL().getMapName(), escapeEl) + ");"); } else { out.printil("out.write(" + quote(n.getType() + "{" + new String(n.getText()) + "}") + ");"); @@ -2845,11 +2847,12 @@ attrValue = sb.toString(); } else { // run attrValue through the expression interpreter + boolean escapeEl = ctxt.getOptions().getEscapeEl(); boolean replaceESC = attrValue.indexOf(Constants.ESC) > 0; String mapName = (attr.getEL() != null) ? attr.getEL() .getMapName() : null; attrValue = JspUtil.interpreterCall(this.isTagFile, - attrValue, c[0], mapName, false); + attrValue, c[0], mapName, escapeEl); // XXX hack: Replace ESC with '$' if (replaceESC) { attrValue = "(" + attrValue + ").replace(" Index: java/org/apache/jasper/resources/LocalStrings.properties =================================================================== --- java/org/apache/jasper/resources/LocalStrings.properties (revision 579866) +++ java/org/apache/jasper/resources/LocalStrings.properties (working copy) @@ -256,6 +256,7 @@ \ -classpath Overrides java.class.path system property\n\ \ -xpoweredBy Add X-Powered-By response header\n\ \ -trimSpaces Trim spaces in template text between actions, directives\n\ +\ -escapeEl Escape JSP expressions to remove HTML characters\n\ \ -javaEncoding Set the encoding charset for Java classes (default UTF-8)\n\ \ -source Set the -source argument to the compiler (default 1.4)\n\ \ -target Set the -target argument to the compiler (default 1.4)\n\ Index: java/org/apache/jasper/resources/LocalStrings_es.properties =================================================================== --- java/org/apache/jasper/resources/LocalStrings_es.properties (revision 579866) +++ java/org/apache/jasper/resources/LocalStrings_es.properties (working copy) @@ -244,6 +244,7 @@ \ -classpath Pasa por alto la propiedad de sistema java.class.path\n\ \ -xpoweredBy Aņade cabecera de respuesta X-Powered-By\n\ \ -trimSpaces Trim spaces in template text between actions, directives\n\ +\ -escapeEl Escape JSP expressions to remove HTML characters\n\ \ -javaEncoding Set the encoding charset for Java classes (default UTF-8)\n\ \ -source Set the -source argument to the compiler (default 1.4)\n\ \ -target Set the -target argument to the compiler (default 1.4)\n\ Index: java/org/apache/jasper/resources/LocalStrings_fr.properties =================================================================== --- java/org/apache/jasper/resources/LocalStrings_fr.properties (revision 579866) +++ java/org/apache/jasper/resources/LocalStrings_fr.properties (working copy) @@ -198,6 +198,7 @@ \ -ieplugin Le classid du Plugin Java Plugin pour Internet Explorer\n\ \ -sax2 Le nom de classe du Driver SAX 2.0 ā utiliser\n\ \ -trimSpaces Trim spaces in template text between actions, directives\n\ +\ -escapeEl Escape JSP expressions to remove HTML characters\n\ \ -javaEncoding Set the encoding charset for Java classes (default UTF-8)\n\ \ -source Set the -source argument to the compiler (default 1.4)\n\ \ -target Set the -target argument to the compiler (default 1.4)\n\ Index: java/org/apache/jasper/resources/LocalStrings_ja.properties =================================================================== --- java/org/apache/jasper/resources/LocalStrings_ja.properties (revision 579866) +++ java/org/apache/jasper/resources/LocalStrings_ja.properties (working copy) @@ -241,6 +241,7 @@ \ -xpoweredBy X-Powered-By\u30ec\u30b9\u30dd\u30f3\u30b9\u30d8\u30c3\u30c0\u306e\u8ffd\u52a0\n\ \ -trimSpaces \u30a2\u30af\u30b7\u30e7\u30f3\u3084\u6307\u793a\u5b50\u306e\u9593\u306e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u30c6\u30ad\u30b9\u30c8\u4e2d\u306e\u30b9\u30da\u30fc\u30b9\u3092\u524a\u9664\n\ \ -trimSpaces Trim spaces in template text between actions, directives\n\ +\ -escapeEl Escape JSP expressions to remove HTML characters\n\ \ -javaEncoding Set the encoding charset for Java classes (default UTF-8)\n\ \ -source Set the -source argument to the compiler (default 1.4)\n\ \ -target Set the -target argument to the compiler (default 1.4)\n\ Index: java/org/apache/jasper/Options.java =================================================================== --- java/org/apache/jasper/Options.java (revision 579866) +++ java/org/apache/jasper/Options.java (working copy) @@ -97,6 +97,11 @@ * Should white spaces between directives or actions be trimmed? */ public boolean getTrimSpaces(); + + /** + * Should the rendered output of JSP expressions be HTML-escaped? + */ + public boolean getEscapeEl(); /** * Class ID for use in the plugin tag when the browser is IE. Index: conf/web.xml =================================================================== --- conf/web.xml (revision 579866) +++ conf/web.xml (working copy) @@ -188,6 +188,9 @@ + + + Index: webapps/docs/jasper-howto.xml =================================================================== --- webapps/docs/jasper-howto.xml (revision 579866) +++ webapps/docs/jasper-howto.xml (working copy) @@ -158,7 +158,10 @@ application.
  • trimSpaces - Should white spaces in template text between -actions or directives be trimmed ?, default false.
    • +actions or directives be trimmed?, default false. + +
  • escapeEl - Should the rendered output of JSP expressions be +escaped by default (to prevent XSS issues)?, default false.