Reputation: 161
In JSTL/JSP when do I have to use <c:out value="${myVar}"/> and when can I just say ${myVar}
I've been doing this the whole time in my JSP code:
<c:out value="${myVar}"/>
Today I just realized for the first time that I seem to be able to use this shorter version just as well:
${myVar}
It works without <c:out>!
Perhaps this is because my page is declared like this:
<%@ page language="java" contentType="text/html;
charset=utf-8" pageEncoding="utf-8" isELIgnored="false" %>
So, my question is, can I replace <c:out> in my code with this shorter version? Is there any reason to keep using <c:out>? Or are there places where I might still need it?
Upvotes: 16
Views: 15193
Answers (2)
Reputation: 691795
<c:out> does more than simply outputting the text. It escapes the HTML special chars. Use it (or ${fn:escapeXml()}) every time you're not absolutely sure that the text doesn't contain any of these characters: ", ', <, >, &. Else, you'll have invalid HTML (in the best case), a broken page, or cross-site scripting attacks (in the worst case).
I'll give you a simple example so that you understand. If you develop a forum, and someone posts the following message, and you don't use <c:out> to display this message, you'll have a problem:
<script>while (true) alert("you're a loser");</script>
Upvotes: 26
Reputation: 1108852
Perhaps this is because my page is declared like this:
<%@ page language="java" contentType="text/html; charset=utf-8" pageEncoding="utf-8" isELIgnored="false" %>
Untrue. Just <%@page pageEncoding="UTF-8" %> was been sufficient. The remnant is all already the default.
EL in template text is supported since JSP 2.0 which goes hand in hand with Servlet 2.4 (which was already out since 2003... keep yourself up to date). So when you're running a Servlet 2.4 capable container (e.g. Tomcat 5.5 or newer) with a web.xml declared conform Servlet 2.4 API, then you'll be able to use EL in template text.
However, you should not use it to (re)display user-controlled input. So, do not use it to (re)display (saved) request headers, request cookies, request URLs, request parameters, request bodies, etc. This will put doors open to XSS attacks.
Upvotes: 8
Related Questions
- C:out tag in jstl
- c:out and ${} in JSP file
- Using <c:out> tag to set var in jsp by using the <c:set> tag
- <c:out/> single quote vs double quote. What is the difference?
- <c:out> value attribute not displaying
- Is it really a best practice to use jstl out tag?
- HTML/JSP Variables
- How to use <c:out value=...> taglib
- what is c:out used for in jsp
- JSP/JSTL using or not using <c:out> tags