问题
I have the following line of code in a JSP File in my web app that is giving an error:
<jsp:setProperty name="db" property="userName" value="<%=request.getParameter("userName")%>"/>
The error message that I get is:
org.apache.jasper.JasperException: /loginbean.jsp(6,59) Attribute value request.getParameter("userName") is quoted with " which must be escaped when used within the value
What I read on some sites is that characters like '
(single quote) or "
(double quote) need to be prefixed with an escape sequence \
(backslash) if they are to be used.
However, when I try and prefix the double quotes (around the word userName) with backslash, I immediately get the following error- "Illegal Character \92- Unclosed String Literal"
How do I resolve this problem?
回答1:
You should use single quotes on the value
parameter, ie:
value='<%=request.getParameter("userName")%>'
or set the org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING
parameter to false
as described here:
http://blogs.sourceallies.com/2009/10/strict-quote-escaping-in-tomcat/
回答2:
If you are using Tomcat 8.5+, the property org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false
will not be acknowledged.
I was able to set the property successfully in {TOMCAT_ROOT}/conf/web.xml
by adding the following within the <servlet>
block:
<init-param>
<param-name>strictQuoteEscaping</param-name>
<param-value>false</param-value>
</init-param>
回答3:
If you don't want to modify your JSPs, just set:
org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false
in your {TOMCAT_ROOT}/conf/catalina.properties
file. Works like a charm!
Kudos from here.
回答4:
This can be fixed with a IDE Regexp Replace:
(<\w+:(?:[^>]|<%=[^%]+%>)+=)"([^<"]*<%=[^%]*"[^%]*%>[^"]*)"
For the replacement text, enter:
$1'$2'
回答5:
The example looks like a XSS example! This is a security vulnerability. I suggest to put in place a html encoding library like c:out tag or http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html#encodeForHTMLAttribute%28java.lang.String%29
I also suggest to take the userName from an authenticated session and not form the request param if possible (unless this is a login/registration form only!)
回答6:
if you use a " as scriplet delimeter, you can't use the some as a property delimiter in getParameter. So change the delimeter of scriptlet by '.As it tag parameter, I think there 'll be no problem. Otherwise replace :
value="<%=request.getParameter("userName")%>"/>
by :
value='<%=request.getParameter("userName")%>'/>
回答7:
I case Jasper JSP validation phase is used during project build.
Since Tomcat 8 there is a new attribute strictQuoteEscaping for Ant task and a switch -no-strictQuoteEscaping for running org.apache.jasper.JspC from command line.
来源:https://stackoverflow.com/questions/6501265/simple-error-due-to-use-of-double-quotes-in-a-jsp-file