Thanks, Craig, and thereyougo, Rick.
On Thu, 17 Mar 2005 13:22:41 -0800, Craig McClanahan <[EMAIL PROTECTED]> wrote:
> On Thu, 17 Mar 2005 16:18:25 -0500, Rick Reumann <[EMAIL PROTECTED]> wrote:
> > Dakota Jack wrote the following on 3/17/2005 4:08 PM:
> > > I think that Craig had mentioned that there were some security issues
> > > or something, however, with not using the <c: blah blah. I did not
> > > bother checking it out because I still use the <c: blah blah.
> >
> > wow, really? I'd like to know what they are. I love how much cleaner my
> > code is without having to use c:out everywhere.
>
> Expression evaluation doesn't filter out characters that are sensitive
> in HTML (like '<'). Consider a common case where you accept input
> from a user into a text field, store it in your database, and then
> display it (on a different page) with something like this:
>
> <td>${customer.name}</td>
>
> Now, consider what happens if you have a malicious user who types
> something like this into the name field:
>
> <script language="JavaScript">...</script>
>
> The unsuspecting user who displays this page will be executing
> whatever JavaScript code replaces "...". That doesn't happen if you
> use <c:out> (or <bean:write> in Struts) because, by default, the "<"
> character gets emitted as "<" instead.
>
> Craig
>
> >
> > --
> > Rick
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
"You can lead a horse to water but you cannot make it float on its back."
~Dakota Jack~
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
