On 1/19/06, Rick Reumann <[EMAIL PROTECTED]> wrote:
>
> Josh McDonald wrote the following on 1/18/2006 5:29 PM:
> > Servlet 2.4 lets you use EL all over the place in JSPs? That rocks me,
> > can someone please send me a link to some good examples of just how
> > out-there you can get?
>
> Just remember to consider using c:out vs just the straight EL ${}...
This is definitely a valid concern. But using JSP 2.0 lets you use EL
expressions for the attributes of *any* JSP custom tag, not just the tags
that know about them. And this is still quite valuable.
Craig
Craig brought this up a while ago and I wasn't even aware of the
> concerns. For outputting text you should be careful of just using
> ${someVar} vs <c:out value="${someVar}"/> By default c:out will escape
> the characters so that what is inputted for someVal will show up. Just
> using ${} does not escape the characters, so if you aren't careful with
> what you do on the backend, someone possibly could enter in a javascript
> string which will get persisted to the db, and then on a display page if
> you simply display this field using the built in EL support, you'll end
> up with Javascript executing on the page:)
>
> Try it out, do this on your page:
>
> <c:set var="test"
> value="<script>this.location='http://www.espn.com';</script>"/>
> <body>
> stuf
> stuff
> ${test}
> </body>
>
> Then try it with
>
> <c:set var="test"
> value="<script>this.location='http://www.espn.com';</script>"/>
> <body>
> stuf
> stuff
> <c:out value="${test}"/>
> </body>
>
>
> --
> Rick
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
