simple error due to use of double quotes in a jsp

2019-01-22 07:08发布

问题:

I have the following line of code in a JSP File in my web app that is giving an error:

<jsp:setProperty name="db" property="userName" value="<%=request.getParameter("userName")%>"/>

The error message that I get is:

org.apache.jasper.JasperException: /loginbean.jsp(6,59) Attribute value request.getParameter("userName") is quoted with " which must be escaped when used within the value

What I read on some sites is that characters like ' (single quote) or " (double quote) need to be prefixed with an escape sequence \ (backslash) if they are to be used.

However, when I try and prefix the double quotes (around the word userName) with backslash, I immediately get the following error- "Illegal Character \92- Unclosed String Literal"

How do I resolve this problem?

回答1:

You should use single quotes on the value parameter, ie:

value='<%=request.getParameter("userName")%>'

or set the org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING parameter to false as described here:

http://blogs.sourceallies.com/2009/10/strict-quote-escaping-in-tomcat/



回答2:

If you don't want to modify your JSPs, just set:

org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false

in your {TOMCAT_ROOT}/conf/catalina.properties file. Works like a charm!

Kudos from here.



回答3:

If you are using Tomcat 8.5+, the property org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false will not be acknowledged.

I was able to set the property successfully in {TOMCAT_ROOT}/conf/web.xml by adding the following within the <servlet> block:

<init-param>
    <param-name>strictQuoteEscaping</param-name>
    <param-value>false</param-value>
</init-param>


回答4:

This can be fixed with a IDE Regexp Replace:

(<\w+:(?:[^>]|<%=[^%]+%>)+=)"([^<"]*<%=[^%]*"[^%]*%>[^"]*)"

For the replacement text, enter:

$1'$2'



回答5:

The example looks like a XSS example! This is a security vulnerability. I suggest to put in place a html encoding library like c:out tag or http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html#encodeForHTMLAttribute%28java.lang.String%29

I also suggest to take the userName from an authenticated session and not form the request param if possible (unless this is a login/registration form only!)



回答6:

if you use a " as scriplet delimeter, you can't use the some as a property delimiter in getParameter. So change the delimeter of scriptlet by '.As it tag parameter, I think there 'll be no problem. Otherwise replace :

value="<%=request.getParameter("userName")%>"/>

by :

value='<%=request.getParameter("userName")%>'/>



回答7:

I case Jasper JSP validation phase is used during project build.

Since Tomcat 8 there is a new attribute strictQuoteEscaping for Ant task and a switch -no-strictQuoteEscaping for running org.apache.jasper.JspC from command line.