simple error due to use of double quotes in a jsp file
I have the following line of code in a JSP File in my web app that is giving an error:
-
You should use single quotes on the
valueparameter, ie:value='<%=request.getParameter("userName")%>'or set the
org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPINGparameter tofalseas described here:http://blogs.sourceallies.com/2009/10/strict-quote-escaping-in-tomcat/
讨论(0) -
If you are using Tomcat 8.5+, the property
org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=falsewill not be acknowledged.I was able to set the property successfully in
{TOMCAT_ROOT}/conf/web.xmlby adding the following within the<servlet>block:<init-param> <param-name>strictQuoteEscaping</param-name> <param-value>false</param-value> </init-param>讨论(0) -
If you don't want to modify your JSPs, just set:
org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=falsein your
{TOMCAT_ROOT}/conf/catalina.propertiesfile. Works like a charm!Kudos from here.
讨论(0) -
if you use a " as scriplet delimeter, you can't use the some as a property delimiter in getParameter. So change the delimeter of scriptlet by '.As it tag parameter, I think there 'll be no problem. Otherwise replace :
value="<%=request.getParameter("userName")%>"/>
by :
value='<%=request.getParameter("userName")%>'/>
讨论(0) -
The example looks like a XSS example! This is a security vulnerability. I suggest to put in place a html encoding library like c:out tag or http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html#encodeForHTMLAttribute%28java.lang.String%29
I also suggest to take the userName from an authenticated session and not form the request param if possible (unless this is a login/registration form only!)
讨论(0) -
I case Jasper JSP validation phase is used during project build.
Since Tomcat 8 there is a new attribute strictQuoteEscaping for Ant task and a switch -no-strictQuoteEscaping for running org.apache.jasper.JspC from command line.
讨论(0)
加载中...
- 热议问题