XSS JSP Functions


Available since version 1.3.0

Why is the deprecated?

Since AEM 6.0, HTL (which auto-XSS protects) is the preferred over JSP, thus this feature which directly supports use of JSP’s is deprecated.


Provide simple JSP EL functions for XSS protection using the XSSAPI service provided by AEM.


First, add the taglib declaration:

<%@ taglib prefix="xss" uri="http://www.adobe.com/consulting/acs-aem-commons/xss" %>


  • xss:encodeForHTML(XSSAPI, String)
  • xss:encodeForHTMLAttr(XSSAPI, String)
  • xss:encodeForJSString(XSSAPI, String)
  • xss:filterHTML(XSSAPI, String)
  • xss:getValidDimension(XSSAPI, String, String)
  • xss:getValidHref(XSSAPI, String)
  • xss:getValidInteger(XSSAPI, String, int)
  • xss:getValidJSToken(XSSAPI, String, String)

See JavaDoc of XSSAPI for more details. Also see the XSS Cheat Sheet.


<%@include file="/libs/foundation/global.jsp"%><%
%><%@ taglib prefix="xss" uri="http://www.adobe.com/consulting/acs-aem-commons/xss" %>
${xss:encodeForHTMLAttr(xssAPI, 'hi"')}
Please report any issues with the Feature or documentation on the ACS AEM Commons GitHub Issue tracker.