This post originated from an RSS feed registered with Java Buzz
by Norman Richards.
Original Post: EL in JSP should be escaped by default
Feed Title: Orb [norman richards]
Feed URL: http://members.capmac.org/~orb/blog.cgi/tech/java?flav=rss
Feed Description: Monkey number 312,978,199
It's absolute lunacy that the default is to not escape values. If you've ever created a publicly accessible web application, it takes all of about 15 minutes before you quickly realize that you need to aggressively escape any displayed data that is potentially modified by the user. You should really escape everything, even things that are assumed to be "clean" already. Since you almost always want escaping, a ${simpleExpression} should default to escaping so you don't have to litter your page with <c:out>ugly tags</c:out>.
When you so do have a variable that contains HTML that needs to go directly to the page, then using the c:out tag with escapeXml="false" should be required. In those rare cases, the extra work required is reasonable. It also alerts anyone working on that page that the expression is potentially dangerous and should be handled with extreme care.
So, here's my +1 for Matt's proposal. I hope future JSP specifications will correct this horrible default so that we aren't limited to non-portible hacks in specific web containers.