You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Konstantin Kolinko <kn...@gmail.com> on 2010/06/12 00:12:49 UTC
Re: What is the difference between ${param.P} and <%=
request.getParameter("P") %>?
2010/6/12 Otmar Manuela <ot...@caribmedia.com>:
>
> So the problem would not happen with ${param.P}, but only with
> ${param.my-code}. I guess with parameters with dashes in it, it treats it
> as a calculation and therefore returns a 0.
>
Yes, it does. BTW, you can use ${param['my-code']}
> Regarding the javascript attack in the code sample, you are probably right.
> I guess a <c:out> escaping the XML characters will probably help a lot
> already, but it does require more thought.
>
or use ${fn:escapeXml( ... )}
The URI for the fn prefix is
http://java.sun.com/jsp/jstl/functions
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org