37

I have the following line of code in a JSP File in my web app that is giving an error:

<jsp:setProperty name="db" property="userName" value="<%=request.getParameter("userName")%>"/>

The error message that I get is:

org.apache.jasper.JasperException: /loginbean.jsp(6,59) Attribute value request.getParameter("userName") is quoted with " which must be escaped when used within the value

What I read on some sites is that characters like ' (single quote) or " (double quote) need to be prefixed with an escape sequence \ (backslash) if they are to be used.

However, when I try and prefix the double quotes (around the word userName) with backslash, I immediately get the following error- "Illegal Character \92- Unclosed String Literal"

How do I resolve this problem?

Brad Mace
  • 27,194
  • 17
  • 102
  • 148
Arvind
  • 6,404
  • 20
  • 94
  • 143
  • 1
    You have already asked this question before: http://stackoverflow.com/questions/6494283/error-in-beans-form-processing-using-jsp-files-in-java-web-application If you cannot seem to find your asked questions back, please click on the link behind your username in the top navigation bar. It leads to your user profile where you can see all your previously asked questions: http://stackoverflow.com/users/793999/arvind – BalusC Jun 28 '11 at 04:49

7 Answers7

56

You should use single quotes on the value parameter, ie:

value='<%=request.getParameter("userName")%>'

or set the org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING parameter to false as described here:

http://blogs.sourceallies.com/2009/10/strict-quote-escaping-in-tomcat/

ryanprayogo
  • 11,587
  • 11
  • 51
  • 66
  • I tried with single quotes- I am getting the following error now- org.apache.jasper.JasperException: org.apache.jasper.JasperException: Can't find a method to write property 'userName' of type 'java.lang.String' in a bean of type 'logbean.LoginBean' – Arvind Jun 28 '11 at 08:21
  • Set also http://stackoverflow.com/questions/9878326/passing-environment-variable-to-ant-task-without-ant-opts on how to set this for jasper ant task – Vadzim Dec 06 '16 at 22:38
12

If you are using Tomcat 8.5+, the property org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false will not be acknowledged.

I was able to set the property successfully in {TOMCAT_ROOT}/conf/web.xml by adding the following within the <servlet> block:

<init-param>
    <param-name>strictQuoteEscaping</param-name>
    <param-value>false</param-value>
</init-param>
Dump Cake
  • 250
  • 2
  • 8
9

If you don't want to modify your JSPs, just set:

org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false

in your {TOMCAT_ROOT}/conf/catalina.properties file. Works like a charm!

Kudos from here.

mppfiles
  • 2,397
  • 1
  • 21
  • 16
6

This can be fixed with a IDE Regexp Replace:

(<\w+:(?:[^>]|<%=[^%]+%>)+=)"([^<"]*<%=[^%]*"[^%]*%>[^"]*)"

For the replacement text, enter:

$1'$2'

Chris T
  • 8,186
  • 2
  • 29
  • 39
Stephan
  • 482
  • 5
  • 13
1

The example looks like a XSS example! This is a security vulnerability. I suggest to put in place a html encoding library like c:out tag or http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html#encodeForHTMLAttribute%28java.lang.String%29

I also suggest to take the userName from an authenticated session and not form the request param if possible (unless this is a login/registration form only!)

DavidC
  • 218
  • 1
  • 12
0

if you use a " as scriplet delimeter, you can't use the some as a property delimiter in getParameter. So change the delimeter of scriptlet by '.As it tag parameter, I think there 'll be no problem. Otherwise replace :

value="<%=request.getParameter("userName")%>"/>

by :

value='<%=request.getParameter("userName")%>'/>

Salim Hamidi
  • 20,731
  • 1
  • 26
  • 31
0

I case Jasper JSP validation phase is used during project build.

Since Tomcat 8 there is a new attribute strictQuoteEscaping for Ant task and a switch -no-strictQuoteEscaping for running org.apache.jasper.JspC from command line.

Vadzim
  • 24,954
  • 11
  • 143
  • 151