Can I pass between scriptlet and JSTL to escape XML?

I have a JSP scriptlet that takes GET parameters that must be XML-escaped to prevent XSS vulnerabilities. Since Java doesn't have built-in XSS escaping functions, I'm trying to pass to JSTL's fn:escapeXml() and back to a scriptlet, like so:

<%@ (import fn taglib) %>


String var1 = request.getParameter("input");




var1 = request.getAttribute("var1");


When I try this, the server returns the ever-helpful "500: Internal Server Error." Before I spend my day troubleshooting that, I thought I'd ask the experts: Should this work? Is there an obvious error in the code I've presented,...

Read More »

By: StackOverFlow - Friday, 20 July

Related Posts