[OWASP-ESAPI] JSTL functions for contextual escaping

Rohit Sethi rklists at gmail.com
Fri Sep 10 16:52:09 EDT 2010

Disclaimer: Forgive me if you've already gone down this road, I
couldn't find anything about in the archives

With many Java EE developers moving to JSF/Facelets, I've noticed that
they rely heavily on escape='true' attributes within their tags to
defend against XSS. This works okay in the context of HTML, but
doesn't really help within the context of an HTML attribute.

For example, if I have the following element, <input type=text
value="#{bean.untrusted}" />, I can't use ESAPI tag libraries or
Scriplets to escape this data within valid XHTML. The best alternative
is to use something like JSTL's #{fn:escapeXml(bean.untrusted)}.
However, as we no doubt all know, fn:escapeXml()  is insufficient for
HTML attribute, JavaScript, and CSS contexts.

Has anyone proposed creating functions such as
fn:escapeHtmlAttribute(), fn:escapeCSS(), fn:escapeJavaScript() for
Rohit Sethi
Security Compass
twitter: rksethi

More information about the OWASP-ESAPI mailing list