Or try escaping the <c:out......
e.g
<c:out value="${login.name}" escapeXml="true"/>
true of false depending....
hope that helps...
On Wed, 23 Mar 2005 15:56:02 -0500, Jeff Beal <[EMAIL PROTECTED]> wrote:
> On Wed, 23 Mar 2005 19:38:39 +0000, [EMAIL PROTECTED]
> <[EMAIL PROTECTED]> wrote:
>
> > Can some one shed some light on this mystery? Also I have heard that using
> > EL outside of tags can be a security problem and that it is better to use a
> > <c:out value="${EL}"/> instead.
>
> The security part of this was mentioned on the list sometime in the
> last couple of weeks. The <c:out/> tags will escape any
> HTML-sensitive characters, but the straight EL language does not. So,
> let's say that your variable 'EL' that you were using is a String:
> "<script language=\"JavaScript\" href=\"nastybad.js\"></script>"
>
> <c:out value="${EL}"/> would print:
> <script language="JavaScript"
> href="nastybad.js"></script> and the user would
> just see the characters -- no harm done.
>
> ${EL} would just print the String, and whatever script is included in
> 'nastybad.js' would be executed on the end-user's machine.
>
> If you are confident that the contents of your EL variable couldn't
> possibly have any harmful HTML in them, go ahead and use ${EL}.
>
> --
> Jeff Beal
> Webmedx, Inc.
> Pittsburgh, PA USA
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
