RE: [displaytag-devel] Should be escaping html? John York Fri, 12 Dec 2003 09:15:14 -0800 For people without JSTL, they can use the Jakarta string taglib. On Fri, 12 Dec 2003, Torgeir Veimo wrote: > (sorry, lost quoting context..) > > > <display:column property="someUserEnteredData" escapeXML="true"/> > > > rather than > > > <display:column> > > <c:out value="{row.someUserEnteredData}" escapeXML="true"/> > > </display:column> > > Two comments from a user: > > JSTL is not allways available. > > The first one is the correct one in terms of usability and > functionality. It's what many other taglibs who write out values do. And > it's necessary to avoid cross site scripting vulnerabilities. > > -- John York Software Engineer CareerSite Corporation ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ displaytag-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/displaytag-devel Previous message View by thread View by date Next message [displaytag-devel] Should <table> be escaping html? Paul McCulloch Re: [displaytag-devel] Should <table> be escapin... John York RE: [displaytag-devel] Should <table> be escapin... Paul McCulloch RE: [displaytag-devel] Should <table> be esc... John York RE: [displaytag-devel] Should <table> be... Matt Raible RE: [displaytag-devel] Should <table>... Torgeir Veimo RE: [displaytag-devel] Should <tab... John York RE: [displaytag-devel] Should <table> be escapin... Paul McCulloch RE: [displaytag-devel] Should <table> be esc... John York RE: [displaytag-devel] Should <table> be... Brad Smith RE: [displaytag-devel] Should <table> be... Brad Smith RE: [displaytag-devel] Should <table> be escapin... Andy Pruitt Reply via email to Search the site The Mail Archive home displaytag-devel - all messages displaytag-devel - about the list Expand Previous message Next message The Mail Archive home Add your mailing list FAQ Support Privacy Pine.LNX.4.44.0312121109280.2146-100000@killians.aa

[John York]

For people without JSTL, they can use the Jakarta string taglib.


On Fri, 12 Dec 2003, Torgeir Veimo wrote:

> (sorry, lost quoting context..)
> 
> > <display:column property="someUserEnteredData" escapeXML="true"/>
> 
> > rather than
> 
> > <display:column>
> >     <c:out value="{row.someUserEnteredData}" escapeXML="true"/> 
> > </display:column>
> 
> Two comments from a user:
> 
> JSTL is not allways available.
> 
> The first one is the correct one in terms of usability and
> functionality. It's what many other taglibs who write out values do. And
> it's necessary to avoid cross site scripting vulnerabilities.
> 
> 

-- 
John York
Software Engineer
CareerSite Corporation



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
displaytag-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/displaytag-devel