0

I have a EL expression ${4+(param.a)*4} in a jsp. How do I use to handle cross-site scripting for the example expression.

Will the following line of code do the arithmetic operation first then spit out the result as string or evaluate the whole expression as string first?

I want to do the arithmetic operation 1st and then output the result as string.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • Just use `fn:escapeXml()` as demonstrated in abovelinked duplicate on `param.a` – BalusC Mar 05 '20 at 18:37
  • @BalusC thanks for your input but my questions wasnt really about xss attack prevention but more about how the tag would handle arithmetic El expression inside a tag.The XSS handle was just the context.May be I should have been more clear on the question. –  Mar 05 '20 at 22:36
  • turns out I had not completed the question! –  Mar 05 '20 at 22:38
  • Oh. Why don't you just run it yourself then to see the actual behavior? – BalusC Mar 06 '20 at 09:03
  • I'm more of a front end developer and I dont really have a Java project set up. I thought this would a good question to get started on stack overflow. –  Mar 10 '20 at 03:19

0 Answers0