Another oldie pdf I found on my archive which contains some interesting notes on xss injection on JSPs TLDs (this is probably the smallest pdf I've posted here for a while).
What is interesting about the JSP TLD is that there are two parsing stages (which affect the payloads/exploits/vulnerability state)
