Attachment 20891 Details for Bug 43497 – Patch to add the ability to escape the rendered output of JSP's EL by default

[patch] Patch to add the ability to escape the rendered output of JSP's EL by default

escapeEl.patch (text/plain), 11.30 KB, created by Matt Raible on 2007-09-26 19:04:34 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Matt Raible

Created: 2007-09-26 19:04:34 UTC

Size: 11.30 KB

patch

obsolete

>Index: java/org/apache/jasper/JspC.java
>===================================================================
>--- java/org/apache/jasper/JspC.java	(revision 579866)
>+++ java/org/apache/jasper/JspC.java	(working copy)
>@@ -115,6 +115,7 @@
> protected static final String SWITCH_MAPPED = "-mapped";
> protected static final String SWITCH_XPOWERED_BY = "-xpoweredBy";
> protected static final String SWITCH_TRIM_SPACES = "-trimSpaces";
>+ protected static final String SWITCH_ESCAPE_EL = "-escapeEl";
> protected static final String SWITCH_CLASSPATH = "-classpath";
> protected static final String SWITCH_DIE = "-die";
> protected static final String SWITCH_POOLING = "-poolingEnabled";
>@@ -140,6 +141,7 @@
> protected String classPath = null;
> protected URLClassLoader loader = null;
> protected boolean trimSpaces = false;
>+ protected boolean escapeEl = false;
> protected boolean genStringAsCharArray = false;
> protected boolean xpoweredBy;
> protected boolean mappedFile = false;
>@@ -298,6 +300,8 @@
> xpoweredBy = true;
> } else if (tok.equals(SWITCH_TRIM_SPACES)) {
> setTrimSpaces(true);
>+ } else if (tok.equals(SWITCH_ESCAPE_EL)) {
>+ setEscapeEl(true);
> } else if (tok.equals(SWITCH_CACHE)) {
> tok = nextArg();
> if ("false".equals(tok)) {
>@@ -369,6 +373,14 @@
> public void setTrimSpaces(boolean ts) {
> this.trimSpaces = ts;
> }
>+ 
>+ public boolean getEscapeEl() {
>+ return escapeEl;
>+ }
>+ 
>+ public void setEscapeEl(boolean ee) {
>+ this.escapeEl = ee;
>+ }
> 
> public boolean isPoolingEnabled() {
> return poolingEnabled;
>Index: java/org/apache/jasper/EmbeddedServletOptions.java
>===================================================================
>--- java/org/apache/jasper/EmbeddedServletOptions.java	(revision 579866)
>+++ java/org/apache/jasper/EmbeddedServletOptions.java	(working copy)
>@@ -66,6 +66,11 @@
> private boolean trimSpaces = false;
> 
> /**
>+ * Should expressions be XMLEscaped by default?
>+ */
>+ private boolean escapeEl = false;
>+ 
>+ /**
> * Determines whether tag handler pooling is enabled.
> */
> private boolean isPoolingEnabled = true;
>@@ -211,6 +216,13 @@
> return trimSpaces;
> }
> 
>+ /**
>+ * Should the rendered value of el expressions be escaped?
>+ */
>+ public boolean getEscapeEl() {
>+ return escapeEl;
>+ }
>+ 
> public boolean isPoolingEnabled() {
> return isPoolingEnabled;
> }
>@@ -439,6 +451,19 @@
> }
> }
> 
>+ String escapeEx = config.getInitParameter("escapeEl"); 
>+ if (escapeEx != null) {
>+ if (escapeEx.equalsIgnoreCase("true")) {
>+ escapeEl = true;
>+ } else if (escapeEx.equalsIgnoreCase("false")) {
>+ escapeEl = false;
>+ } else {
>+ if (log.isWarnEnabled()) {
>+ log.warn(Localizer.getMessage("jsp.warning.escapeel"));
>+ }
>+ }
>+ }
>+ 
> this.isPoolingEnabled = true;
> String poolingEnabledParam
> = config.getInitParameter("enablePooling"); 
>Index: java/org/apache/jasper/compiler/Generator.java
>===================================================================
>--- java/org/apache/jasper/compiler/Generator.java	(revision 579866)
>+++ java/org/apache/jasper/compiler/Generator.java	(working copy)
>@@ -803,9 +803,10 @@
> }
> return v;
> } else if (attr.isELInterpreterInput()) {
>+ boolean escapeEl = ctxt.getOptions().getEscapeEl();
> boolean replaceESC = v.indexOf(Constants.ESC) > 0;
> v = JspUtil.interpreterCall(this.isTagFile, v, expectedType,
>- attr.getEL().getMapName(), false);
>+ attr.getEL().getMapName(), escapeEl);
> // XXX ESC replacement hack
> if (replaceESC) {
> v = "(" + v + ").replace(" + Constants.ESCStr + ", '$')";
>@@ -888,10 +889,11 @@
> public void visit(Node.ELExpression n) throws JasperException {
> n.setBeginJavaLine(out.getJavaLine());
> if (!pageInfo.isELIgnored() && (n.getEL() != null)) {
>+ boolean escapeEl = ctxt.getOptions().getEscapeEl();
> out.printil("out.write("
> + JspUtil.interpreterCall(this.isTagFile, n.getType() + "{"
> + new String(n.getText()) + "}", String.class,
>- n.getEL().getMapName(), false) + ");");
>+ n.getEL().getMapName(), escapeEl) + ");");
> } else {
> out.printil("out.write("
> + quote(n.getType() + "{" + new String(n.getText()) + "}") + ");");
>@@ -2845,11 +2847,12 @@
> attrValue = sb.toString();
> } else {
> // run attrValue through the expression interpreter
>+ boolean escapeEl = ctxt.getOptions().getEscapeEl();
> boolean replaceESC = attrValue.indexOf(Constants.ESC) > 0;
> String mapName = (attr.getEL() != null) ? attr.getEL()
> .getMapName() : null;
> attrValue = JspUtil.interpreterCall(this.isTagFile,
>- attrValue, c[0], mapName, false);
>+ attrValue, c[0], mapName, escapeEl);
> // XXX hack: Replace ESC with '$'
> if (replaceESC) {
> attrValue = "(" + attrValue + ").replace("
>Index: java/org/apache/jasper/resources/LocalStrings.properties
>===================================================================
>--- java/org/apache/jasper/resources/LocalStrings.properties	(revision 579866)
>+++ java/org/apache/jasper/resources/LocalStrings.properties	(working copy)
>@@ -256,6 +256,7 @@
> \ -classpath <path> Overrides java.class.path system property\n\
> \ -xpoweredBy Add X-Powered-By response header\n\
> \ -trimSpaces Trim spaces in template text between actions, directives\n\
>+\ -escapeEl Escape JSP expressions to remove HTML characters\n\
> \ -javaEncoding <enc> Set the encoding charset for Java classes (default UTF-8)\n\
> \ -source <version> Set the -source argument to the compiler (default 1.4)\n\
> \ -target <version> Set the -target argument to the compiler (default 1.4)\n\
>Index: java/org/apache/jasper/resources/LocalStrings_es.properties
>===================================================================
>--- java/org/apache/jasper/resources/LocalStrings_es.properties	(revision 579866)
>+++ java/org/apache/jasper/resources/LocalStrings_es.properties	(working copy)
>@@ -244,6 +244,7 @@
> \ -classpath <path> Pasa por alto la propiedad de sistema java.class.path\n\
> \ -xpoweredBy Añade cabecera de respuesta X-Powered-By\n\
> \ -trimSpaces Trim spaces in template text between actions, directives\n\
>+\ -escapeEl Escape JSP expressions to remove HTML characters\n\
> \ -javaEncoding <enc> Set the encoding charset for Java classes (default UTF-8)\n\
> \ -source <version> Set the -source argument to the compiler (default 1.4)\n\
> \ -target <version> Set the -target argument to the compiler (default 1.4)\n\
>Index: java/org/apache/jasper/resources/LocalStrings_fr.properties
>===================================================================
>--- java/org/apache/jasper/resources/LocalStrings_fr.properties	(revision 579866)
>+++ java/org/apache/jasper/resources/LocalStrings_fr.properties	(working copy)
>@@ -198,6 +198,7 @@
> \ -ieplugin <clsid> Le classid du Plugin Java Plugin pour Internet Explorer\n\
> \ -sax2 <driverclassname> Le nom de classe du Driver SAX 2.0 à utiliser\n\
> \ -trimSpaces Trim spaces in template text between actions, directives\n\
>+\ -escapeEl Escape JSP expressions to remove HTML characters\n\
> \ -javaEncoding <enc> Set the encoding charset for Java classes (default UTF-8)\n\
> \ -source <version> Set the -source argument to the compiler (default 1.4)\n\
> \ -target <version> Set the -target argument to the compiler (default 1.4)\n\
>Index: java/org/apache/jasper/resources/LocalStrings_ja.properties
>===================================================================
>--- java/org/apache/jasper/resources/LocalStrings_ja.properties	(revision 579866)
>+++ java/org/apache/jasper/resources/LocalStrings_ja.properties	(working copy)
>@@ -241,6 +241,7 @@
> \ -xpoweredBy X-Powered-By\u30ec\u30b9\u30dd\u30f3\u30b9\u30d8\u30c3\u30c0\u306e\u8ffd\u52a0\n\
> \ -trimSpaces \u30a2\u30af\u30b7\u30e7\u30f3\u3084\u6307\u793a\u5b50\u306e\u9593\u306e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u30c6\u30ad\u30b9\u30c8\u4e2d\u306e\u30b9\u30da\u30fc\u30b9\u3092\u524a\u9664\n\
> \ -trimSpaces Trim spaces in template text between actions, directives\n\
>+\ -escapeEl Escape JSP expressions to remove HTML characters\n\
> \ -javaEncoding <enc> Set the encoding charset for Java classes (default UTF-8)\n\
> \ -source <version> Set the -source argument to the compiler (default 1.4)\n\
> \ -target <version> Set the -target argument to the compiler (default 1.4)\n\
>Index: java/org/apache/jasper/Options.java
>===================================================================
>--- java/org/apache/jasper/Options.java	(revision 579866)
>+++ java/org/apache/jasper/Options.java	(working copy)
>@@ -97,6 +97,11 @@
> * Should white spaces between directives or actions be trimmed?
> */
> public boolean getTrimSpaces();
>+ 
>+ /**
>+ * Should the rendered output of JSP expressions be HTML-escaped?
>+ */
>+ public boolean getEscapeEl();
> 
> /**
> * Class ID for use in the plugin tag when the browser is IE. 
>Index: conf/web.xml
>===================================================================
>--- conf/web.xml	(revision 579866)
>+++ conf/web.xml	(working copy)
>@@ -188,6 +188,9 @@
> 
> 
> 
>+ 
>+ 
>+ 
> 
> 
> 
>Index: webapps/docs/jasper-howto.xml
>===================================================================
>--- webapps/docs/jasper-howto.xml	(revision 579866)
>+++ webapps/docs/jasper-howto.xml	(working copy)
>@@ -158,7 +158,10 @@
> application.</li>
> 
> <li>trimSpaces - Should white spaces in template text between
>-actions or directives be trimmed ?, default <code>false</code>.</li>
>+actions or directives be trimmed?, default <code>false</code>.</li>
>+
>+<li>escapeEl - Should the rendered output of JSP expressions be
>+escaped by default (to prevent XSS issues)?, default <code>false</code>.</li>
> </ul>
> 
>

Actions: View | Diff

Attachments on bug 43497: 20891