You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Konstantin Kolinko <kn...@gmail.com> on 2010/06/12 00:12:49 UTC

Re: What is the difference between ${param.P} and <%= request.getParameter("P") %>?

2010/6/12 Otmar Manuela <ot...@caribmedia.com>:
>
> So the problem would not happen with ${param.P}, but only with
> ${param.my-code}.  I guess with parameters with dashes in it, it treats it
> as a calculation and therefore returns a 0.
>

Yes, it does.  BTW, you can use ${param['my-code']}

> Regarding the javascript attack in the code sample, you are probably right.
>  I guess a <c:out> escaping the XML characters will probably help a lot
> already, but it does require more thought.
>

or use ${fn:escapeXml( ... )}

The URI for the fn prefix is
http://java.sun.com/jsp/jstl/functions

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org