Hi,
I have seen that "com.adobe.granite.xssprotection-5.5.4.jar" is using OWASP ESAPI under the hood.
Why doesn't Granite make the ESAPI Taglibs (http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/ esapi/tags/package-summary.html) available?
Then one could for example use
<esapi:encodeForHTMLAttribute>${myvar}</esapi:encodeForHTMLAttribute>
which in my opinion is cleaner than using the "xssAPI"-object in scriptlets in JSPs.
Best regards,
Ronald