XSS JSP Functions

Deprecated

Available since version 1.3.0

Why is the deprecated?

Since AEM 6.0, HTL (which auto-XSS protects) is the preferred over JSP, thus this feature which directly supports use of JSP’s is deprecated.

Purpose

Provide simple JSP EL functions for XSS protection using the XSSAPI service provided by AEM.

Usage

First, add the taglib declaration:

<%@ taglib prefix="xss" uri="http://www.adobe.com/consulting/acs-aem-commons/xss" %>

Functions

  • xss:encodeForHTML(XSSAPI, String)
  • xss:encodeForHTMLAttr(XSSAPI, String)
  • xss:encodeForJSString(XSSAPI, String)
  • xss:filterHTML(XSSAPI, String)
  • xss:getValidDimension(XSSAPI, String, String)
  • xss:getValidHref(XSSAPI, String)
  • xss:getValidInteger(XSSAPI, String, int)
  • xss:getValidJSToken(XSSAPI, String, String)

See JavaDoc of XSSAPI for more details. Also see the XSS Cheat Sheet.

Example

<%@include file="/libs/foundation/global.jsp"%><%
%><%@ taglib prefix="xss" uri="http://www.adobe.com/consulting/acs-aem-commons/xss" %>
${xss:encodeForHTMLAttr(xssAPI, 'hi"')}