2010/6/12 Otmar Manuela <[email protected]>:
>
> So the problem would not happen with ${param.P}, but only with
> ${param.my-code}. I guess with parameters with dashes in it, it treats it
> as a calculation and therefore returns a 0.
>
Yes, it does. BTW, you can use ${param['my-code']}
> Regarding the javascript attack in the code sample, you are probably right.
> I guess a <c:out> escaping the XML characters will probably help a lot
> already, but it does require more thought.
>
or use ${fn:escapeXml( ... )}
The URI for the fn prefix is
http://java.sun.com/jsp/jstl/functions
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
