2

While anyone will explore this question, the obvious question arises that, is there any regular expression possible that matches

${foo}

but not

<c:if test="${foo}" />

or

<c:when test="${foo}" />

to replace those stand alone ${foo} with <c:out value="${foo}" />, here foo can be any string as long as ${foo} is a valid el expression in jsp.

Edit:

${foo} can be anywhere as long as its not violating jsp syntax after the replacement! This is just a precaution to prevent XXS attack in jsp's.

Community
  • 1
  • 1
Sazzadur Rahaman
  • 6,938
  • 1
  • 30
  • 52

5 Answers5

2

Description

This regex will find the naked ${foo} which is not inside a <c:.... test="${foo}" /> block

Regex: (?!("))\$\{[^}]*\}(?!")

Replace with <c:out value="$0" />

enter image description here

Input text: <c:if test="${foo man chu}" />${foo bar}more text here

Output Text: <c:if test="${foo man chu}" /><c:out value="${foo bar}" />more text here

To handle the additional edge cases where ${foo.bar} might be inside ` tags then you might want to use this regex

Regex: (?!("))(\$\{[^}]*\})(?!")|(<a\b[^>]*\bhref=")(\$\{[^}]*\})(")

Replace with: $3<c:out value="$1$2$4" />$5

enter image description here

Input text: <c:if test="${foo man chu}" />${foo bar}more <a href="${foo.name}" />text here

Output text: <c:if test="${foo man chu}" /><c:out value="${foo bar}" />more <a href="<c:out value="${foo.name}" />" />text here

Ro Yo Mi
  • 14,790
  • 5
  • 35
  • 43
  • Yes, you are right, Your regex will find naked `${foo}`, but `` this type of replacable `${foo}` will be ignored. – Sazzadur Rahaman Jun 13 '13 at 03:44
  • That edge case wasn't included in the original sample text. Please see the updated response which addresses additional edge case. – Ro Yo Mi Jun 13 '13 at 04:24
1

Following regex should work on your examples:

\${[^}]*}(?![^<>]*>)

Live Demo: http://www.rubular.com/r/ICdR4TGQXu

Though I think this might still give false positive for some rare cases.

anubhava
  • 761,203
  • 64
  • 569
  • 643
0

I believe you're probably trying to edit your JSPs in a text editor that supports find by regex feature. Trying to parse your JSPs otherwise (like @fge pointed) wouldn't be wise though.

Here's a regex that would match ${foo} but not ="${foo}"

(?<!=")\${foo}(?!")

effectively eliminating a match on <c:if test="${foo}" /> or <c:when test="${foo}" />

Ravi K Thapliyal
  • 51,095
  • 9
  • 76
  • 89
0

try this

str = str.replaceAll("(?<!<c:(if|when) test=[\"'])\\$\\{foo}", "<c:out value=\"\\${foo}\" />");
Evgeniy Dorofeev
  • 133,369
  • 30
  • 199
  • 275
0

In general, regular expressions are not powerful enough to correctly process any non-trivial language, especially one that allows matching parentheses, escaped quotes, and nested quoting.

You may find a regular expression here that seems to work for most cases, but that likely just means that you haven't met a clever enough attacker yet.

You need to be much more restrictive about what you let your users enter. You should not accept JSP code, try to "clean it up", and then execute it. You will get exploited. Even Sun could not accomplish this (see: the recent string of attacks against the Java Applet sandbox).

Steven Schlansker
  • 37,580
  • 14
  • 81
  • 100