This post originated from an RSS feed registered with Java Buzz by Norman Richards. Original Post: EL in JSP should be escaped by default Feed Title: Orb [norman richards] Feed URL: http://members.capmac.org/~orb/blog.cgi/tech/java?flav=rss Feed Description: Monkey number 312,978,199 Latest Java Buzz Posts Latest Java Buzz Posts by Norman Richards Latest Posts From Orb [norman richards]

I just ran across a proposal by Matt Raible for an extension to Tomcat for defaulting to escaped EL. This is something that absolutely needs to be done, not just for Tomcat but for all web containers.

It's absolute lunacy that the default is to not escape values. If you've ever created a publicly accessible web application, it takes all of about 15 minutes before you quickly realize that you need to aggressively escape any displayed data that is potentially modified by the user. You should really escape everything, even things that are assumed to be "clean" already. Since you almost always want escaping, a ${simpleExpression} should default to escaping so you don't have to litter your page with <c:out>ugly tags</c:out>.

When you so do have a variable that contains HTML that needs to go directly to the page, then using the c:out tag with escapeXml="false" should be required. In those rare cases, the extra work required is reasonable. It also alerts anyone working on that page that the expression is potentially dangerous and should be handled with extreme care.

So, here's my +1 for Matt's proposal. I hope future JSP specifications will correct this horrible default so that we aren't limited to non-portible hacks in specific web containers.