Thom Nichols


Technology is evolution outside the gene pool

The Suckless JSP Tag Library

So I implemented the Python Web Console in plain Java and JSP on AppEngine.  Maybe this wasn't a great idea, but given the limited scope of the application, I was hard-pressed to complicate it with Spring or an alternative markup language.  Plain JSP and servlets seemed 'good enough' in this case.

I couldn't, however, ignore that there are a couple glaring problems with JSP, probably the worst being that it doesn't escape EL values by default.  So if your model has any text that isn't scrubbed or manually escaped with  <c:out, you risk XSS attacks.  Matt Raible pointed this out, and proposed recompiling  commons-el or adding specific flag to Tomcat.  But obviously that is either non-portable or requires forking the EL library.  So I decided to go the alternate route and create a couple simple EL functions to do the job.  


This is also way nicer than c:out tags, since c:out is especially ugly if you're escaping a value in an attribute! 

No, it's not as good as something that's done by default -- if you forget to use the function, you're out of luck!  But it's a happy medium between glaring XSS hole and forking libraries.  In short, it makes JSP suck less.

There are a couple other handy functions as well:


<!-- Do some simple HTML formatting on plain text -->
<div class='bd'>${s:toHTML(s:esc(comment.text))}</div>

<!-- escape text included in a URL: -->
<a href='${s:escURL(tweet)}'
	title='Share on Twitter' target="_new">

<!-- Show a relative date such as '45 seconds ago,' '5 minutes ago,' etc. -->
<span class='date'>${s:relativeDate(recentScript.created)}</span>

Personally, I prefer Grails, as GSP does this by default (in addition to providing a much better markup library in general.

You can find the code as part of my python-web-console project here:

Got a better way of doing this?  Let me know!

Category: jsp Java