Thursday, July 29, 2010

<c:url> DANGER !

<c:url value="/foobar.jspx#fragment">
<c:param name="p1" value="v1" />
<c:param name="p2" value="v2" />

fragment is not recognized as fragment and taken as part of path:


JSTL Specification 7.5 for c:url
reffers to old
JSP 1.2 in JSP.2.2.1 "Relative URL Specification"
which refers to old RFC
Elements may use relative URL specifications, called “URI paths” in the Servlet
2.3 specification. These paths are as described in the RFC 2396 specification.
So it becomes very unclear
if the value can contain fragments and/or query.

I vote for YES it can, even if the JSTL would want to advocate NO,
as I developer I would request it.

Tested on Suns jstl-impl-1.2.jar, Tomcat 6.0,
and after decompilation and quick look in the code,
I have strong suggestion

DO NOT USE !!!!!
it is dangerous and combined with lax EL, it can lead to
serious "security troubles" (search CWE, OWASP or others).

I will post fixed reliable version of
ainthek:url when ported from my other libraries.
And it will use IRI (I have not found anything better so far).


  1. Sorry no need to decompile, you can browse sources here Glassfish (head revision)

    The only thing that have changed from 1.2 to 1.3 are license header comments :-)

  2. and pure code from package declaration to last '}' bracket haven't changed since v1.1
    that's 5 years ago :-)