Skip to content
This repository


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Fork of : Java web application enhancements library. Compile JSPs on startup. Escape JSP EL values to prevent cross-site scripting. (XSS ESAPI)

branch: master

This branch is 0 commits ahead and 0 commits behind master

Fetching latest commit…


Cannot retrieve the latest commit at this time

Octocat-spinner-32 license
Octocat-spinner-32 src
Octocat-spinner-32 .gitignore
Octocat-spinner-32 build.gradle

More info about this library at this blog post here:

Note this is an EL Resolver, not an ESAPI library (ESAPI put here for searchability)

Java Web Application Enhancements Library

Add library to your project

Add this Maven dependency:


Compile JSPs on startup

In the web.xml file, add a listener:


Escape JSP EL values to prevent cross-site scripting

In the web.xml file, add a listener:


Disable escaping

Use a custom tag to surround JSP code in which EL values should not be escaped:

<%@ taglib prefix="enhance" uri="" %>

<enhance:out escapeXml="false">
  I hope this expression returns safe HTML: ${}

Read model data in Jersey MVC JSP templates without "it."

Jersey's MVC framework exposes the model object to the JSP template as a request attribute named "it". To read the model data, a JSP template must evaluate an EL expression reading a property of this object, for example, ${it.propertyName}. This custom EL resolver exposes model properties as implicit objects, allowing a JSP template to read a model property with an EL expression like ${propertyName}.

In the web.xml file, add a listener:

Something went wrong with that request. Please try again.