ASF Bugzilla – Attachment 20891 Details for
Bug 43497
Add ability to escape rendered output of JSP expressions
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to add the ability to escape the rendered output of JSP's EL by default
escapeEl.patch (text/plain), 11.30 KB, created by
Matt Raible
on 2007-09-26 19:04:34 UTC
(
hide
)
Description:
Patch to add the ability to escape the rendered output of JSP's EL by default
Filename:
MIME Type:
Creator:
Matt Raible
Created:
2007-09-26 19:04:34 UTC
Size:
11.30 KB
patch
obsolete
>Index: java/org/apache/jasper/JspC.java >=================================================================== >--- java/org/apache/jasper/JspC.java (revision 579866) >+++ java/org/apache/jasper/JspC.java (working copy) >@@ -115,6 +115,7 @@ > protected static final String SWITCH_MAPPED = "-mapped"; > protected static final String SWITCH_XPOWERED_BY = "-xpoweredBy"; > protected static final String SWITCH_TRIM_SPACES = "-trimSpaces"; >+ protected static final String SWITCH_ESCAPE_EL = "-escapeEl"; > protected static final String SWITCH_CLASSPATH = "-classpath"; > protected static final String SWITCH_DIE = "-die"; > protected static final String SWITCH_POOLING = "-poolingEnabled"; >@@ -140,6 +141,7 @@ > protected String classPath = null; > protected URLClassLoader loader = null; > protected boolean trimSpaces = false; >+ protected boolean escapeEl = false; > protected boolean genStringAsCharArray = false; > protected boolean xpoweredBy; > protected boolean mappedFile = false; >@@ -298,6 +300,8 @@ > xpoweredBy = true; > } else if (tok.equals(SWITCH_TRIM_SPACES)) { > setTrimSpaces(true); >+ } else if (tok.equals(SWITCH_ESCAPE_EL)) { >+ setEscapeEl(true); > } else if (tok.equals(SWITCH_CACHE)) { > tok = nextArg(); > if ("false".equals(tok)) { >@@ -369,6 +373,14 @@ > public void setTrimSpaces(boolean ts) { > this.trimSpaces = ts; > } >+ >+ public boolean getEscapeEl() { >+ return escapeEl; >+ } >+ >+ public void setEscapeEl(boolean ee) { >+ this.escapeEl = ee; >+ } > > public boolean isPoolingEnabled() { > return poolingEnabled; >Index: java/org/apache/jasper/EmbeddedServletOptions.java >=================================================================== >--- java/org/apache/jasper/EmbeddedServletOptions.java (revision 579866) >+++ java/org/apache/jasper/EmbeddedServletOptions.java (working copy) >@@ -66,6 +66,11 @@ > private boolean trimSpaces = false; > > /** >+ * Should expressions be XMLEscaped by default? >+ */ >+ private boolean escapeEl = false; >+ >+ /** > * Determines whether tag handler pooling is enabled. > */ > private boolean isPoolingEnabled = true; >@@ -211,6 +216,13 @@ > return trimSpaces; > } > >+ /** >+ * Should the rendered value of el expressions be escaped? >+ */ >+ public boolean getEscapeEl() { >+ return escapeEl; >+ } >+ > public boolean isPoolingEnabled() { > return isPoolingEnabled; > } >@@ -439,6 +451,19 @@ > } > } > >+ String escapeEx = config.getInitParameter("escapeEl"); >+ if (escapeEx != null) { >+ if (escapeEx.equalsIgnoreCase("true")) { >+ escapeEl = true; >+ } else if (escapeEx.equalsIgnoreCase("false")) { >+ escapeEl = false; >+ } else { >+ if (log.isWarnEnabled()) { >+ log.warn(Localizer.getMessage("jsp.warning.escapeel")); >+ } >+ } >+ } >+ > this.isPoolingEnabled = true; > String poolingEnabledParam > = config.getInitParameter("enablePooling"); >Index: java/org/apache/jasper/compiler/Generator.java >=================================================================== >--- java/org/apache/jasper/compiler/Generator.java (revision 579866) >+++ java/org/apache/jasper/compiler/Generator.java (working copy) >@@ -803,9 +803,10 @@ > } > return v; > } else if (attr.isELInterpreterInput()) { >+ boolean escapeEl = ctxt.getOptions().getEscapeEl(); > boolean replaceESC = v.indexOf(Constants.ESC) > 0; > v = JspUtil.interpreterCall(this.isTagFile, v, expectedType, >- attr.getEL().getMapName(), false); >+ attr.getEL().getMapName(), escapeEl); > // XXX ESC replacement hack > if (replaceESC) { > v = "(" + v + ").replace(" + Constants.ESCStr + ", '$')"; >@@ -888,10 +889,11 @@ > public void visit(Node.ELExpression n) throws JasperException { > n.setBeginJavaLine(out.getJavaLine()); > if (!pageInfo.isELIgnored() && (n.getEL() != null)) { >+ boolean escapeEl = ctxt.getOptions().getEscapeEl(); > out.printil("out.write(" > + JspUtil.interpreterCall(this.isTagFile, n.getType() + "{" > + new String(n.getText()) + "}", String.class, >- n.getEL().getMapName(), false) + ");"); >+ n.getEL().getMapName(), escapeEl) + ");"); > } else { > out.printil("out.write(" > + quote(n.getType() + "{" + new String(n.getText()) + "}") + ");"); >@@ -2845,11 +2847,12 @@ > attrValue = sb.toString(); > } else { > // run attrValue through the expression interpreter >+ boolean escapeEl = ctxt.getOptions().getEscapeEl(); > boolean replaceESC = attrValue.indexOf(Constants.ESC) > 0; > String mapName = (attr.getEL() != null) ? attr.getEL() > .getMapName() : null; > attrValue = JspUtil.interpreterCall(this.isTagFile, >- attrValue, c[0], mapName, false); >+ attrValue, c[0], mapName, escapeEl); > // XXX hack: Replace ESC with '$' > if (replaceESC) { > attrValue = "(" + attrValue + ").replace(" >Index: java/org/apache/jasper/resources/LocalStrings.properties >=================================================================== >--- java/org/apache/jasper/resources/LocalStrings.properties (revision 579866) >+++ java/org/apache/jasper/resources/LocalStrings.properties (working copy) >@@ -256,6 +256,7 @@ > \ -classpath <path> Overrides java.class.path system property\n\ > \ -xpoweredBy Add X-Powered-By response header\n\ > \ -trimSpaces Trim spaces in template text between actions, directives\n\ >+\ -escapeEl Escape JSP expressions to remove HTML characters\n\ > \ -javaEncoding <enc> Set the encoding charset for Java classes (default UTF-8)\n\ > \ -source <version> Set the -source argument to the compiler (default 1.4)\n\ > \ -target <version> Set the -target argument to the compiler (default 1.4)\n\ >Index: java/org/apache/jasper/resources/LocalStrings_es.properties >=================================================================== >--- java/org/apache/jasper/resources/LocalStrings_es.properties (revision 579866) >+++ java/org/apache/jasper/resources/LocalStrings_es.properties (working copy) >@@ -244,6 +244,7 @@ > \ -classpath <path> Pasa por alto la propiedad de sistema java.class.path\n\ > \ -xpoweredBy Añade cabecera de respuesta X-Powered-By\n\ > \ -trimSpaces Trim spaces in template text between actions, directives\n\ >+\ -escapeEl Escape JSP expressions to remove HTML characters\n\ > \ -javaEncoding <enc> Set the encoding charset for Java classes (default UTF-8)\n\ > \ -source <version> Set the -source argument to the compiler (default 1.4)\n\ > \ -target <version> Set the -target argument to the compiler (default 1.4)\n\ >Index: java/org/apache/jasper/resources/LocalStrings_fr.properties >=================================================================== >--- java/org/apache/jasper/resources/LocalStrings_fr.properties (revision 579866) >+++ java/org/apache/jasper/resources/LocalStrings_fr.properties (working copy) >@@ -198,6 +198,7 @@ > \ -ieplugin <clsid> Le classid du Plugin Java Plugin pour Internet Explorer\n\ > \ -sax2 <driverclassname> Le nom de classe du Driver SAX 2.0 à utiliser\n\ > \ -trimSpaces Trim spaces in template text between actions, directives\n\ >+\ -escapeEl Escape JSP expressions to remove HTML characters\n\ > \ -javaEncoding <enc> Set the encoding charset for Java classes (default UTF-8)\n\ > \ -source <version> Set the -source argument to the compiler (default 1.4)\n\ > \ -target <version> Set the -target argument to the compiler (default 1.4)\n\ >Index: java/org/apache/jasper/resources/LocalStrings_ja.properties >=================================================================== >--- java/org/apache/jasper/resources/LocalStrings_ja.properties (revision 579866) >+++ java/org/apache/jasper/resources/LocalStrings_ja.properties (working copy) >@@ -241,6 +241,7 @@ > \ -xpoweredBy X-Powered-By\u30ec\u30b9\u30dd\u30f3\u30b9\u30d8\u30c3\u30c0\u306e\u8ffd\u52a0\n\ > \ -trimSpaces \u30a2\u30af\u30b7\u30e7\u30f3\u3084\u6307\u793a\u5b50\u306e\u9593\u306e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u30c6\u30ad\u30b9\u30c8\u4e2d\u306e\u30b9\u30da\u30fc\u30b9\u3092\u524a\u9664\n\ > \ -trimSpaces Trim spaces in template text between actions, directives\n\ >+\ -escapeEl Escape JSP expressions to remove HTML characters\n\ > \ -javaEncoding <enc> Set the encoding charset for Java classes (default UTF-8)\n\ > \ -source <version> Set the -source argument to the compiler (default 1.4)\n\ > \ -target <version> Set the -target argument to the compiler (default 1.4)\n\ >Index: java/org/apache/jasper/Options.java >=================================================================== >--- java/org/apache/jasper/Options.java (revision 579866) >+++ java/org/apache/jasper/Options.java (working copy) >@@ -97,6 +97,11 @@ > * Should white spaces between directives or actions be trimmed? > */ > public boolean getTrimSpaces(); >+ >+ /** >+ * Should the rendered output of JSP expressions be HTML-escaped? >+ */ >+ public boolean getEscapeEl(); > > /** > * Class ID for use in the plugin tag when the browser is IE. >Index: conf/web.xml >=================================================================== >--- conf/web.xml (revision 579866) >+++ conf/web.xml (working copy) >@@ -188,6 +188,9 @@ > <!-- trimSpaces Should white spaces in template text between --> > <!-- actions or directives be trimmed? [false] --> > <!-- --> >+ <!-- escapeEl Should the rendered output of JSP expressions --> >+ <!-- be HTML escaped? [false] --> >+ <!-- --> > <!-- suppressSmap Should the generation of SMAP info for JSR45 --> > <!-- debugging be suppressed? [false] --> > <!-- --> >Index: webapps/docs/jasper-howto.xml >=================================================================== >--- webapps/docs/jasper-howto.xml (revision 579866) >+++ webapps/docs/jasper-howto.xml (working copy) >@@ -158,7 +158,10 @@ > application.</li> > > <li><strong>trimSpaces</strong> - Should white spaces in template text between >-actions or directives be trimmed ?, default <code>false</code>.</li> >+actions or directives be trimmed?, default <code>false</code>.</li> >+ >+<li><strong>escapeEl</strong> - Should the rendered output of JSP expressions be >+escaped by default (to prevent XSS issues)?, default <code>false</code>.</li> > </ul> > </p> >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 43497
: 20891