Scott Leberknight's Weblog

Jeff has posted a nice blog about cross-site scripting (XSS) vulnerabilities in JSP 2.0 expressions. With JSP 2.0 you can use the following to emit the description of a "todo" item:

${todo.description}

That's pretty nice. What happens when someone has entered a description like this?

<script type="text/javascript">alert('F#$@ you!');</script>

Well, it executes the JavaScript and pops up a nice little message to you. Of course more malicious things could be injected there but you get the idea. JSTL's c:out tag, by default, escapes XML content so the following code will not execute the embedded JavaScript but will simply display it as part of the web page.

<c:out value="${todo.description}"/>

The nice thing here is that the default behavior of c:out is to escape XML content. If you need to override this and not escape XML content, you can simply write the following.

<c:out value="${todo.description}" escapeXml="false"/>

My question is this: Why in the world did the expert group on the JSP 2.0 JSR decide to make not escaping XML content the default for EL expressions, when they made the opposite decision for c:out? As Jeff alluded to in his post, it is too much of a hassle to try and determine where it is safe to use the JSP 2.0 expression syntax and where you need to ensure potential XML content is escaped. So the safest bet is to use c:out or the JSTL 1.1 function escapeXml, which looks like this.

${fn:escapeXml(todo.description)}

Given the choice between c:out and fn:escapeXml() I probably would prefer the latter as it seems a tad bit cleaner and more in the spirit of JSP 2.0 expressions. But I would prefer instead that the JSP expression language escaped XML content by default rather than have to choose which XML-escaping syntax to use.