I have the following line of code in a JSP File in my web app that is giving an error:
<jsp:setProperty name="db" property="userName" value="<%=request.getParameter("userName")%>"/>
The error message that I get is:
org.apache.jasper.JasperException:
/loginbean.jsp(6,59) Attribute value
request.getParameter("userName") is
quoted with " which must be escaped
when used within the value
What I read on some sites is that characters like '
(single quote) or "
(double quote) need to be prefixed with an escape sequence \
(backslash) if they are to be used.
However, when I try and prefix the double quotes (around the word userName) with backslash, I immediately get the following error- "Illegal Character \92- Unclosed String Literal"
How do I resolve this problem?
You should use single quotes on the value
parameter, ie:
value='<%=request.getParameter("userName")%>'
or set the org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING
parameter to false
as described here:
http://blogs.sourceallies.com/2009/10/strict-quote-escaping-in-tomcat/
If you don't want to modify your JSPs, just set:
org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false
in your {TOMCAT_ROOT}/conf/catalina.properties
file. Works like a charm!
Kudos from here.
If you are using Tomcat 8.5+, the property org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false
will not be acknowledged.
I was able to set the property successfully in {TOMCAT_ROOT}/conf/web.xml
by adding the following within the <servlet>
block:
<init-param>
<param-name>strictQuoteEscaping</param-name>
<param-value>false</param-value>
</init-param>
This can be fixed with a IDE Regexp Replace:
(<\w+:(?:[^>]|<%=[^%]+%>)+=)"([^<"]*<%=[^%]*"[^%]*%>[^"]*)"
For the replacement text, enter:
$1'$2'
The example looks like a XSS example! This is a security vulnerability.
I suggest to put in place a html encoding library like c:out tag or http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html#encodeForHTMLAttribute%28java.lang.String%29
I also suggest to take the userName from an authenticated session and not form the request param if possible (unless this is a login/registration form only!)
if you use a " as scriplet delimeter, you can't use the some as a property delimiter in getParameter. So change the delimeter of scriptlet by '.As it tag parameter, I think there 'll be no problem. Otherwise replace :
value="<%=request.getParameter("userName")%>"/>
by :
value='<%=request.getParameter("userName")%>'/>
I case Jasper JSP validation phase is used during project build.
Since Tomcat 8 there is a new attribute strictQuoteEscaping for Ant task and a switch -no-strictQuoteEscaping for running org.apache.jasper.JspC from command line.