C: out nested attribute inside element

Question

C: out nested attribute inside element

Is the JSTL nested tag inside the element attribute good practice or does the var c: out attribute usually be preferred? This seems to work anyway, but I suspect it may not work on some application servers or JSP versions (and this just looks wrong).

For example, an input element, which has its own value, is restored upon verification failure and with a special escape character:

<input type="text" name="firstname" value="<c:out value="${param.firstname}"/>"/>

against

 <c:out value="${param.firstname}" var="firstname"/> <input type="text" name="firstname" value="${firstname}"/>

+7

java jsp jstl

Ryan Oct 14 '11 at 18:28

source share

2 answers

I usually use ${} everywhere I can. It is simple and straightforward. I use <c:out> when I need additional functions, such as the escapeXml function.

In your example, you can really leave without <c:out> :

 <input type="text" name="firstname" value="${param.firstname}"/>

Edit: problems with XSS

My answer is not about the XSS holes mentioned by BalusC and StuartWakefield. Although my answer is simplified, you really should always reduce XSS holes. I prefer to use the OWASP taglib .

 <span>${esc:forHtml(sketchyText)}</span> <span><esc:forHtml(sketchyText)/></span> <input value="${esc:forHtmlAttribute(sketchyText)}"/>

-one

RustyTheBoyRobot Oct 14 '11 at 18:32

source share

Balusc · Accepted Answer · 2011-10-14T18:37:05+0000

The generally accepted practice of preventing XSS attacks in attributes of an HTML element without violating XML syntax with syntax nested with <c:out> is fn:escapeXml() :

 <input type="text" name="firstname" value="${fn:escapeXml(param.firstname)}"/>

C: out nested attribute inside element

Edit: problems with XSS

More articles: