simple error due to use of double quotes in a jsp file

Question

I have the following line of code in a JSP File in my web app that is giving an error:

<jsp:setProperty name="db" property="userName" value="<%=request.getParameter("userName")%>"/>

The error message that I get is:

org.apache.jasper.JasperException: /loginbean.jsp(6,59) Attribute value request.getParameter("userName") is quoted with " which must be escaped when used within the value

What I read on some sites is that characters like ' (single quote) or " (double quote) need to be prefixed with an escape sequence \ (backslash) if they are to be used.

However, when I try and prefix the double quotes (around the word userName) with backslash, I immediately get the following error- "Illegal Character \92- Unclosed String Literal"

How do I resolve this problem?

You have already asked this question before: http://stackoverflow.com/questions/6494283/error-in-beans-form-processing-using-jsp-files-in-java-web-application If you cannot seem to find your asked questions back, please click on the link behind your username in the top navigation bar. It leads to your user profile where you can see all your previously asked questions: http://stackoverflow.com/users/793999/arvind — BalusC, Jun 28 '11 at 04:49

score 56 · Accepted Answer · answered Jun 28 '11 at 03:43

56

You should use single quotes on the value parameter, ie:

value='<%=request.getParameter("userName")%>'

or set the org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING parameter to false as described here:

http://blogs.sourceallies.com/2009/10/strict-quote-escaping-in-tomcat/

answered Jun 28 '11 at 03:43

ryanprayogo

11,587
11
51
66

I tried with single quotes- I am getting the following error now- org.apache.jasper.JasperException: org.apache.jasper.JasperException: Can't find a method to write property 'userName' of type 'java.lang.String' in a bean of type 'logbean.LoginBean' – Arvind Jun 28 '11 at 08:21
Set also http://stackoverflow.com/questions/9878326/passing-environment-variable-to-ant-task-without-ant-opts on how to set this for jasper ant task – Vadzim Dec 06 '16 at 22:38

score 12 · Answer 2 · answered Sep 20 '16 at 18:37

12

If you are using Tomcat 8.5+, the property org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false will not be acknowledged.

I was able to set the property successfully in {TOMCAT_ROOT}/conf/web.xml by adding the following within the <servlet> block:

<init-param>
    <param-name>strictQuoteEscaping</param-name>
    <param-value>false</param-value>
</init-param>

answered Sep 20 '16 at 18:37

Dump Cake

250
2
8

2

By default, there are two `servlet` elements in `web.xml`. You need to place the above `init-param` element in the `jsp` – Michał Maciej Gałuszka Apr 04 '17 at 11:04

score 9 · Answer 3 · answered Jul 16 '14 at 17:14

9

If you don't want to modify your JSPs, just set:

org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false

in your {TOMCAT_ROOT}/conf/catalina.properties file. Works like a charm!

Kudos from here.

answered Jul 16 '14 at 17:14

mppfiles

2,397
1
21
16

score 6 · Answer 4 · edited Apr 28 '15 at 01:40

6

This can be fixed with a IDE Regexp Replace:

(<\w+:(?:[^>]|<%=[^%]+%>)+=)"([^<"]*<%=[^%]*"[^%]*%>[^"]*)"

For the replacement text, enter:

$1'$2'

edited Apr 28 '15 at 01:40

Chris T

8,186
2
29
39

answered Dec 07 '11 at 13:57

Stephan

482
5
13

4

+1 Pretty impressive. Not readable or anything, but impressive. – Ron Romero Dec 26 '11 at 23:28
instead of replacing with single quotes, I want to replace with escaping the inner double-quotes. what should be my regex and replacement text here. – thiru_k Oct 04 '13 at 09:39
I have gained a lot of time ! It what i was looking for ! – amdev Dec 20 '16 at 10:14
@thiru_k had the same issue, here is a regex for future reference `(?<=<%=.*)(?!\\)"(?=.*%>)` replacing with `\\"` – Vinz243 Feb 11 '21 at 14:37

score 1 · Answer 5 · answered Jul 17 '14 at 08:51

The example looks like a XSS example! This is a security vulnerability. I suggest to put in place a html encoding library like c:out tag or http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html#encodeForHTMLAttribute%28java.lang.String%29

I also suggest to take the userName from an authenticated session and not form the request param if possible (unless this is a login/registration form only!)

score 0 · Answer 6 · answered Sep 26 '13 at 10:08

if you use a " as scriplet delimeter, you can't use the some as a property delimiter in getParameter. So change the delimeter of scriptlet by '.As it tag parameter, I think there 'll be no problem. Otherwise replace :

value="<%=request.getParameter("userName")%>"/>

by :

value='<%=request.getParameter("userName")%>'/>

Vadzim · Answer 7 · 2017-05-17T10:56:14.090

0

I case Jasper JSP validation phase is used during project build.

Since Tomcat 8 there is a new attribute strictQuoteEscaping for Ant task and a switch -no-strictQuoteEscaping for running org.apache.jasper.JspC from command line.

edited May 17 '17 at 10:56

answered May 16 '17 at 21:44

Vadzim

24,954
11
143
151

simple error due to use of double quotes in a jsp file

7 Answers7

Linked