I have
<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %>
and also just for testing
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
at the top of the JSP page.
I just want to sanitize the errorMessage.
The following works, so I know that the message exist.
<% if(errorMessage != null) { %>
<span class="error"><%=errorMessage%></span>
<% } %>
However, if I use any of the following, it does not work and does not show anything:
<p>Dynamic data via EL: ${e:forHtml(errorMessage)}</p>
<p>Dynamic data via tag: <e:forHtml value="${errorMessage}" /></p>
<c:out value="${errorMessage}" />
I am not sure what is missing here.
You are using a scriptlet variable in the EL expression. It doesn't work. The variable with the name errorMassage doesn't contains in any scope used by JSP. So it cannot be found, untill you rewrite the code to remove scriptlets or put the variable to the page scope. How to create a variable in the page scope? See this:
<c:set var="errorMessage" scope="page"><%=errorMessage%></c:set>
Now you can use ${errorMessage}