Make ${} operator XSS safe in Struts 2 (same as tapestry)

jsp jstl xss struts2 ognl
  1. Struts2 <s:property value="name" /> is automatically escaped by default;
  2. JSTL <c:out value="${name}" /> is automatically escaped by default;
  3. JSP EL ${name} is NOT escaped.

You can explicitly escape it with ${fn:escapeXml(name)} , or set the escape to be performed by default creating a custom ELResolver as described in this great article:

  • ELResolver Escapes JSP EL Values To Prevent Cross-Site Scripting

Short answer: make it safe either on entry into the app, or on the way to the view layer.

Tapestry's ${} is safe because it's not using JSP/JSP EL. Not escaping stuff is one of the things you lose by using JSP EL's ${} over things like <c:out> and so on.

Related

Python Selenium driver.execute_script WebDriverException: Message: unknown error: call function result missing 'value'
How do I write an SP in phpMyAdmin (MySQL)?
Help with SAPI v5.1 SpeechRecognitionEngine always gives same wrong result with C#
@ionic/angular 4.0.0-beta.13 : Not allowed to load local resource : with webview 2.2.3 - Ionic CLI 4.3.1
How to implement Iterator yielding mutable references [duplicate]
Permission issues for location in android Marshmallow applicaton
How I can Import data from CSV to MySQL?
Get list of all installed applications in Windows Phone 8 [closed]
How to set default value to select list in MVC during run time
PHP session seemingly not working
Variables in a loop
Joining two dataframes without a common column