So, it's as much of security risk as bean:write? I mean you could turn the filter off and get the same effect?
Leon > Von: Jeff Beal [mailto:[EMAIL PROTECTED] > Gesendet: Mittwoch, 23. März 2005 21:56 > An: Struts Users Mailing List > Betreff: Re: EL Mystery > > On Wed, 23 Mar 2005 19:38:39 +0000, > [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > Can some one shed some light on this mystery? Also I have > heard that using EL outside of tags can be a security problem > and that it is better to use a <c:out value="${EL}"/> instead. > > The security part of this was mentioned on the list sometime > in the last couple of weeks. The <c:out/> tags will escape > any HTML-sensitive characters, but the straight EL language > does not. So, let's say that your variable 'EL' that you > were using is a String: > "<script language=\"JavaScript\" href=\"nastybad.js\"></script>" > > <c:out value="${EL}"/> would print: > <script language="JavaScript" > href="nastybad.js"></script> and the user > would just see the characters -- no harm done. > > ${EL} would just print the String, and whatever script is > included in 'nastybad.js' would be executed on the end-user's machine. > > If you are confident that the contents of your EL variable > couldn't possibly have any harmful HTML in them, go ahead and > use ${EL}. > > -- > Jeff Beal > Webmedx, Inc. > Pittsburgh, PA USA > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
