DasBooten
Reputation: 329
value="${fn:escapeXml(true)}"/> Is it useful?
Have a quick question:
value="${fn:escapeXml(true)}"/>
This code above, I am using it within a hidden input field as below in various forms:
<input type="hidden" name="Eatit" value="${fn:escapeXml(false)}"/>
I know this JSTL function is useful in preventing XML injection within forms for strings.
My question is can a boolean or an integer be manipulated in the same way and is this a useful solution against hidden input value tampering?
Thanks.
Upvotes: 1
Views: 1243
Answers (1)
JB Nizet
Reputation: 691645
No, this is useless. Escaping the value is useful when it's an string which contains or could contain special characters needing to be escaped. The literal Strings "true" and "false" don't contain any such character, so escaping them is unnecessary.
Upvotes: 3
Related Questions
- "${fn:escapeXml(parameter)!=null}" is always true
- XSS Escape characters before taking data into java. JSTL
- Escape characters in jsp?
- JSTL escapeXml default
- How to prevent JavaScript injection (XSS) when JSTL escapeXml is false
- Display attribute context with escaping xml characters using jstl
- How to tell Java which StringEscapeUtils.escapeXML() to use?
- Escape JSP EL using JSTL tags (dot character)
- Is it possible to omit escaping some html in <c:out value="${str}">?
- How to Escape Character in EL with JSTL tag?