Josh McDonald wrote the following on 1/18/2006 5:29 PM:
Servlet 2.4 lets you use EL all over the place in JSPs? That rocks me,
can someone please send me a link to some good examples of just how
out-there you can get?
Just remember to consider using c:out vs just the straight EL ${}...
Craig brought this up a while ago and I wasn't even aware of the
concerns. For outputting text you should be careful of just using
${someVar} vs <c:out value="${someVar}"/> By default c:out will escape
the characters so that what is inputted for someVal will show up. Just
using ${} does not escape the characters, so if you aren't careful with
what you do on the backend, someone possibly could enter in a javascript
string which will get persisted to the db, and then on a display page if
you simply display this field using the built in EL support, you'll end
up with Javascript executing on the page:)
Try it out, do this on your page:
<c:set var="test"
value="<script>this.location='http://www.espn.com';</script>"/>
<body>
stuf
stuff
${test}
</body>
Then try it with
<c:set var="test"
value="<script>this.location='http://www.espn.com';</script>"/>
<body>
stuf
stuff
<c:out value="${test}"/>
</body>
--
Rick
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
