I've written my own ELResolver to escape any HTML in the output and prevent XSS.
It works fine, but double escapes output in <c:out> tags.
The workaround is to add disable XML escaping in the c:out tag, but I would like to automatically stop escaping when the ELResolver is evaluating an expression inside a c:out's value attribute.
Is there a way of working out which tag I'm current inside?
I've looked at the JSP page context, but can't find anything suitable.