| Author |
Doubt in EL part of JSP 2.0 specification
|
vijayakumar vivekanandan
Greenhorn
Joined: Dec 08, 2004
Posts: 21
|
|
I was skimming thro the JSP 2.0 specification's EL part (page 1-65).
I cannot understand the "to help prevent cross-site scripting attacks" part of the following lines.
"The semantics of an EL expression are the same as with Java expressions: the
value is computed and inserted into the current output. In cases where escaping is
desired (for example, to help prevent cross-site scripting attacks), the JSTL core
tag <c  ut> can be used.
"
How cross site scripting attacks occur if we use expressions and how it is prevented in EL?
Advanced thanks.
|
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br />You cannot solve a problem with the same level of understanding that created it. <br />@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
 |
Gabriel Forro
Ranch Hand
Joined: Apr 16, 2004
Posts: 59
|
|
Hello,
imagine You have a request attribute:
if You use:
, there will be a javascript block on the client side.
But if You use:
the text will be text and not javascript code. Thanks to the escaping.
So the answer is, that cross-site scripting attack is not prevented in EL. You can use the
tag to prevent it.
[ December 13, 2004: Message edited by: Gabriel Forro ]
[ December 13, 2004: Message edited by: Gabriel Forro ]
[ December 13, 2004: Message edited by: Gabriel Forro ]
|
Gabriel 
|
|
vijayakumar vivekanandan
Greenhorn
Joined: Dec 08, 2004
Posts: 21
|
|
Thanks Gabry. That was a crystal clear illustration. Is there any material elaborating on such possible attacks. This will help me make my codes secure. 
|
|
 |
|
|
subject: Doubt in EL part of JSP 2.0 specification
|
|
|
0
