CodeBlue
Reputation: 15389
Do JSTL tags automatically escape HTML?
In JSTL an expression such as
<c:out value="${user.firstName}"/> will escape any HTML as contained in user.firstName.
However, does it apply to all JSTL tags? For instance, will an expression like
href="<c:url value="/users/">
<c:param name="firstName" value="${user.firstName}"/>
</c:url>"
also escape HTML?
Upvotes: 3
Views: 6701
Answers (1)
JB Nizet
Reputation: 691645
No, no tag except <c:out> escapes XML. For example: <fmt:message> doesn't escape XML. This allows placing HTML markup or escape sequences in the resource bundle.
<c:param> url-encodes the parameter value. But placing two <c:param> inside a single <c:url> will produce an unescaped &: someUrl?foo=bar&baz=zim. To properly escape this &, store the URL inside a variable, and use <c:out> or fn:escapeXml to escape the variable:
<c:url var="someUrl" var="theUnescapedUrl">
<c:param name="foo" value="bar"/>
<c:param name="baz" value="zim"/>
</c:url>
<a href="<c:out value='${theUnescapedUrl}'/>">click here</a>
or
<a href="${fn:escapeXml(theUnescapedUrl)}">click here</a>
Upvotes: 6
Related Questions
- How to unescape HTML tags with JSTL
- Java escape HTML
- Are there any drawbacks of using JSTL tags for escaping XML for XSS prevention
- JSTL escapeXml default
- why are the escape characters being displayed in HTML?
- Escape JSP EL using JSTL tags (dot character)
- Is it possible to omit escaping some html in <c:out value="${str}">?
- Html escaping in java?
- Escaping html in Java
- How to Escape Character in EL with JSTL tag?