On 1/19/06, Rick Reumann <[EMAIL PROTECTED]> wrote:
> Josh McDonald wrote the following on 1/18/2006 5:29 PM:
> > Servlet 2.4 lets you use EL all over the place in JSPs? That rocks me,
> > can someone please send me a link to some good examples of just how
> > out-there you can get?
>
> Just remember to consider using c:out vs just the straight EL ${}...
>
<snip/>
For such concerns ...
${fn:escapeXml(test)}
is an option.
<c:out/> is overrated in JSP >= 2.0, IMO.
The one place it is useful is to ensure well-formedness in jspx files.
jspx/tagx files are revolutionary in concept, and a step in the right
direction, though I doubt many folks use them extensively.
-Rahul
> Craig brought this up a while ago and I wasn't even aware of the
> concerns. For outputting text you should be careful of just using
> ${someVar} vs <c:out value="${someVar}"/> By default c:out will escape
> the characters so that what is inputted for someVal will show up. Just
> using ${} does not escape the characters, so if you aren't careful with
> what you do on the backend, someone possibly could enter in a javascript
> string which will get persisted to the db, and then on a display page if
> you simply display this field using the built in EL support, you'll end
> up with Javascript executing on the page:)
>
> Try it out, do this on your page:
>
> <c:set var="test"
> value="<script>this.location='http://www.espn.com';</script>"/>
> <body>
> stuf
> stuff
> ${test}
> </body>
>
> Then try it with
>
> <c:set var="test"
> value="<script>this.location='http://www.espn.com';</script>"/>
> <body>
> stuf
> stuff
> <c:out value="${test}"/>
> </body>
>
>
> --
> Rick
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
