Win a copy of Pipeline as Code this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Rob Spoor
  • Henry Wong
  • Liutauras Vilda
Saloon Keepers:
  • Tim Moores
  • Carey Brown
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
Bartenders:
  • Frits Walraven
  • Himai Minh
  • Jj Roberts

I want to use StringEscapeUtils in a JSP with JSTL (no scriplets!)

 
Ranch Hand
Posts: 618
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am iterating over a Collection in a JSP using JSTL in such a way that to display the code and description for each member of the collection, I write this:



I want to escape the String referenced by "description" to make it JavaScript-safe by using the Apache Commons StringEscapeUtils class. It has a method called escapeJavaScript that takes the String to be escaped and returns the escaped String. With a scriptlet, I could simply write something like this:



But I'm trying to avoid that...

By the way, we're using Struts, but in this particular case, we retrieve the Collection of results from the Hibernate end and pass it all the way up to the Action class where it's placed in the request--the results aren't stored in a Struts form class, so it seems like the best place to escape the data would be here in the JSP.
[ November 16, 2005: Message edited by: Stephen Huey ]
 
Marshal
Posts: 67514
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Since the methods in StringEscapeUtils are static you can declare EL functions that map to the methods in the class, then use those functions in any EL expression.

This assumes, of course, that you are in a JSP 2.0 environment.
 
Bartender
Posts: 1845
10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm a little confused as the example that you gave was in HTML code rather than javascript so wouldn't you use escapeHTML instead of escapeJavascript in that code?

Anyway, if you don't have JSP2.0, the next best thing would be to wrap the call in a custom tag.
The c:out tag does a good job of escaping HTML/XML nasties.
You would just have to write a tag that takes the body, and outputs the body run through the escapeJavascriptMethod().

Something like
<myTag:escapeJavascript>text to escape</myTag:escapeJavascript>
[ November 16, 2005: Message edited by: Stefan Evans ]
 
Bear Bibeault
Marshal
Posts: 67514
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I just added a JSP FAQ entry on defining EL functions that uses this very question as an example. Thanks for the inspiration.

And yes, the <c:out> tag will perform HTML-escaping, but there are no other built-in escape mechansims for notations such as Javascript, Java and SQL as provided by the other methods in StringEscapeUtils.
[ November 16, 2005: Message edited by: Bear Bibeault ]
 
Stephen Huey
Ranch Hand
Posts: 618
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No JSP 2.0 here. Extending c ut sounds cool to me--not sure I'm high enough on the totem pole for that, but maybe I can convince someone to do it.
 
Bear Bibeault
Marshal
Posts: 67514
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Pre-JSP 2.0 I would go the custom action route as Stefan mentioned.
 
Ranch Hand
Posts: 48
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank yo'all for the mighty fine tip, boys! Much obliged!

Bear: I think there may be a small error in your FAQ. The TLD entry sez java.lang.String escapeJS(java.lang.String). However, the commons.lang 2.6 Javadoc has escapeJavaScript . Perhaps there has been a name change in recent versions.

Bonus: I can now have a EL function named escXml instead of the long-winded JSTL fn function escapeXml .



 
Bear Bibeault
Marshal
Posts: 67514
173
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Per Lindberg wrote:Bonus: I can now have a EL function named escXml instead of the long-winded JSTL fn function escapeXml .


Personally I don't think that's an improvement. I'm not a big fan of needless abbreviation.
 
You know it is dark times when the trees riot. I think this tiny ad is their leader:
SKIP - a book about connecting industrious people with elderly land owners
https://coderanch.com/t/skip-book
reply
    Bookmark Topic Watch Topic
  • New Topic