Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

I want to use StringEscapeUtils in a JSP with JSTL (no scriplets!)  RSS feed

 
Stephen Huey
Ranch Hand
Posts: 618
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am iterating over a Collection in a JSP using JSTL in such a way that to display the code and description for each member of the collection, I write this:



I want to escape the String referenced by "description" to make it JavaScript-safe by using the Apache Commons StringEscapeUtils class. It has a method called escapeJavaScript that takes the String to be escaped and returns the escaped String. With a scriptlet, I could simply write something like this:



But I'm trying to avoid that...

By the way, we're using Struts, but in this particular case, we retrieve the Collection of results from the Hibernate end and pass it all the way up to the Action class where it's placed in the request--the results aren't stored in a Struts form class, so it seems like the best place to escape the data would be here in the JSP.
[ November 16, 2005: Message edited by: Stephen Huey ]
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65830
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Since the methods in StringEscapeUtils are static you can declare EL functions that map to the methods in the class, then use those functions in any EL expression.

This assumes, of course, that you are in a JSP 2.0 environment.
 
Stefan Evans
Bartender
Posts: 1834
10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm a little confused as the example that you gave was in HTML code rather than javascript so wouldn't you use escapeHTML instead of escapeJavascript in that code?

Anyway, if you don't have JSP2.0, the next best thing would be to wrap the call in a custom tag.
The cut tag does a good job of escaping HTML/XML nasties.
You would just have to write a tag that takes the body, and outputs the body run through the escapeJavascriptMethod().

Something like
<myTag:escapeJavascript>text to escape</myTag:escapeJavascript>
[ November 16, 2005: Message edited by: Stefan Evans ]
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65830
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I just added a JSP FAQ entry on defining EL functions that uses this very question as an example. Thanks for the inspiration.

And yes, the <cut> tag will perform HTML-escaping, but there are no other built-in escape mechansims for notations such as Javascript, Java and SQL as provided by the other methods in StringEscapeUtils.
[ November 16, 2005: Message edited by: Bear Bibeault ]
 
Stephen Huey
Ranch Hand
Posts: 618
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No JSP 2.0 here. Extending c ut sounds cool to me--not sure I'm high enough on the totem pole for that, but maybe I can convince someone to do it.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65830
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Pre-JSP 2.0 I would go the custom action route as Stefan mentioned.
 
Per Lindberg
Ranch Hand
Posts: 48
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank yo'all for the mighty fine tip, boys! Much obliged!

Bear: I think there may be a small error in your FAQ. The TLD entry sez java.lang.String escapeJS(java.lang.String). However, the commons.lang 2.6 Javadoc has escapeJavaScript . Perhaps there has been a name change in recent versions.

Bonus: I can now have a EL function named escXml instead of the long-winded JSTL fn function escapeXml .



 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65830
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Per Lindberg wrote:Bonus: I can now have a EL function named escXml instead of the long-winded JSTL fn function escapeXml .

Personally I don't think that's an improvement. I'm not a big fan of needless abbreviation.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!