• Post Reply Bookmark Topic Watch Topic
  • New Topic

JSTL <out> tag

 
Vadim Vararu
Ranch Hand
Posts: 147
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can i somehow make the default value for escapeXml attribute equal to "false"? It just occupies space in my code to make it always "false".
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65524
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you sure that's what you want? This should only be done for trusted text (text that comes from a known internal source) that you are sure won't need HTML-encoding.

Are you aware of the security implications of escapeXml="false"?

If you don't need the protection of the encoding, then why use <c:out> at all? Just specify the EL expression directly in template text. But be sure you understand the security implications of doing so!
 
Karthik Ramcn
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i know that - By default, the value of the escapeXml attribute of the JSTL <cut> tag is true. This default behavior ensures that HTML special characters, such as <, >, &, ', or ", contained in output strings are converted into their corresponding character entity codes and displayed properly in the HTML page produced by the JSP page.

But I am not aware of the security implications of having this attribute as false.

Could you please help me in letting know the security implications ?

thanks for your time and effort !
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think you already have the hint. Precisely, user can inject code in the text, and that might not be your intention.
 
Carey Evans
Ranch Hand
Posts: 225
Debian Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The main security exposure is called Cross Site Scripting, which you should be able to use to find more information.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65524
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"karthik.rcn",

There aren't many rules that you need to worry about here on the Ranch, but one that we take very seriously regards the use of proper names. Please take a look at the JavaRanch Naming Policy and adjust your display name to match it.

In particular, your display name must be a first and a last name separated by a space character, and must not be obviously fictitious.

Thanks!
bear
JavaRanch Sheriff

 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!