Export to GitHub

owasp-jxt - JXTCheatSheet.wiki

Core Syntax

Creating a Page

<?xml version="1.0" encoding="UTF-8"?> <jxt:page xmlns:jxt="http://www.owasp.org/jxt/2010" xmlns:xi="http://www.w3.org/2001/XInclude" xmlns="http://www.w3.org/1999/xhtml" doctypePublic="-//W3C//DTD XHTML 1.0 Transitional//EN" doctypeSystem="http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> ... </html> </jxt:page>

Including Another Page

<xi:include href='/stuff-to-include.jxtf' parse='xml'/>

Character Content

text content is included verbatim. <![CDATA[ CDATA Sections are good for content too. ]]>

Comments

<!-- JXT parses source files using an XML parser. XML comments, like this one, will be removed. --> <jxt:comment>To include a comment in the output, use this tag.</jxt:comment>

Expressions

This result of ${a} + ${b} is ${a+b}. <img src="/photo?user=${userId}" alt="Photo of ${user.getFullName()}" />

Controlling Output Escaping

<jxt:out value="${profile.getGeneratedHtml()}" escape="none"/>

Loops

<jxt:forEach items="${purchaseOrder.getLineItems()}" itemType="LineItem" var="item"> <tr> <td>${item.getItem().getDescription()}</td> <td>${item.getQuantity()}</td> <td>${item.getPrice()}</td> <td>${item.getQuantity() * item.getPrice()}</td> </tr> </jxt:forEach>

Conditionals

``` Please fix the following error: ${message}

You guessed too low. You guessed too high. You got it! Please guess a number. ```

Using JSP Tags

<!-- Map the "my" namespace to the .tld --> <jxt:page ... xmlns:my="/WEB-INF/my-tag-lib.tld" ...> <!-- use "custom-tag" from the tld --> <my:custom-tag attr="${value}">content</my:custom-tag> </jxt:page>

Java Scriptlets

Using scriptlets is a highly discouraged practice as it can lead to unmaintainable code and easily be used to circumvent XSS protection. This functionality is provided primarily for compatibility with JSP.

<jxt:code><![CDATA[ // Once in a code context, everything that is available to a JSP page is // also available here. Standard objects, such as session, request, out // can be directly referenced. String userId = session.getUserId(Constants.USER_ID_KEY); out.println("This is a bad idea: "+userId); // XSS! ]]></jxt:code>

<jxt:declaration><![CDATA[ private ThreadLocal<Random> random = new ThreadLocal<Random>() { @Override protected Random initialValue() { return new Random(); } }; ]]></jxt:declaration>

XHTML Tag Support

JXT "understands" XHTML's DTD and provides support for special constructs. To make use of these constructs make sure that the xmlns is set properly to an XHTML 1.0 Namespace URI (see <jxt:page> above).

Boolean Attribute Handling

"Boolean" attributes such as checked="checked" and selected="selected" make make use of boolean expressions. The output will be correct XHTML--if the expression evaluates to true, then checked="checked" will be output, otherwise the attribute will be left out.

<input type="checkbox" checked="${index == checkedIndex}"/>

Required Attribute Handling

Attributes required by the DTD are always be output, even if the value is null or empty string. JXT will warn if a required attribute is missing.

<img src="/img.png" alt=""/> <!-- good, alt attribute will be written to output --> <img src="/img.png" /> <!-- warning generated -->

URI Attributes

URI attributes (href, src, etc...) are handled by a URI-context-aware parser and escape logic.

| Full URI Encoding | <a href="${fullURI}">...</a> | |:------------------|:-------------------------------| | Key/Value Pair Escaping | <a href="/uri?${key}=${value}&key2=${value2}&${key3}=value3">...</a> |

JSP to JXT Translation

For most commonly used constructs in JSP pages, there is an equivalent JXT construct. The table below shows some examples. (For JSPs in XML syntax, first translate the JSP XML syntax to the JSP equivalent, then to JXT. JXT syntax is much more similar to JSP XML syntax).

| JSP | JXT | Comments | |:--------|:--------|:-------------| | <%= ... %> | ${ ... } | JSP expression is not escaped, JXT is | | <% ... %> | <jxt:code>...</jxt:code> | Inline scriptlet (java) code | | <%! ... $> | <jxt:declaration> ... </jxt:declaration> | Java class-level declaration | | <%@page ... %> (content) | <jxt:page ...> (content) </jxt:page> | Page level declarations (imports, content-type, etc...) | | <%@taglib ... %> | xmlns:prefix="..." | Mapping JSP taglib to XML Namespace prefix | | <%@include ... %> | <xi:include ... /> | Static inclusion of a JSP/JXT page | | <jsp:include ... /> | <jsp:include ... /> | Runtime inclusion of a page/template | | <jsp:forward ... /> | <jsp:forward ... /> | Internal forwarding of a request | | <jsp:useBean ... /> | <jsp:useBean ... /> | Use a bean in a script (java) code | | JSP Tag Extension | Same syntax as JSP | Use a JSP tag | | JSTL/EL | no equivalent | JSTL/EL support may be something that is added in a future release. |