You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Rick Reumann <st...@reumann.net> on 2006/01/19 16:02:52 UTC
Be Careful though: was Re: Struts JSTL & EL
Josh McDonald wrote the following on 1/18/2006 5:29 PM:
> Servlet 2.4 lets you use EL all over the place in JSPs? That rocks me,
> can someone please send me a link to some good examples of just how
> out-there you can get?
Just remember to consider using c:out vs just the straight EL ${}...
Craig brought this up a while ago and I wasn't even aware of the
concerns. For outputting text you should be careful of just using
${someVar} vs <c:out value="${someVar}"/> By default c:out will escape
the characters so that what is inputted for someVal will show up. Just
using ${} does not escape the characters, so if you aren't careful with
what you do on the backend, someone possibly could enter in a javascript
string which will get persisted to the db, and then on a display page if
you simply display this field using the built in EL support, you'll end
up with Javascript executing on the page:)
Try it out, do this on your page:
<c:set var="test"
value="<script>this.location='http://www.espn.com';</script>"/>
<body>
stuf
stuff
${test}
</body>
Then try it with
<c:set var="test"
value="<script>this.location='http://www.espn.com';</script>"/>
<body>
stuf
stuff
<c:out value="${test}"/>
</body>
--
Rick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Be Careful though: was Re: Struts JSTL & EL
Posted by Rahul Akolkar <ra...@gmail.com>.
On 1/19/06, Rick Reumann <st...@reumann.net> wrote:
> Rahul Akolkar wrote the following on 1/19/2006 3:30 PM:
>
> > For such concerns ...
> >
> > ${fn:escapeXml(test)}
> >
> > is an option.
> >
> > <c:out/> is overrated in JSP >= 2.0, IMO.
>
> Just curious why is ${fn:escapeXml(test)} any better than <c:out
> value='${test}'/> ?
>
<snip/>
Lets lay out all the options:
1) ${test}
2) ${fn:escapeXml(test)}
3) <c:out value="${test}" />
4) <c:out value="${test}" escapeXml="false" />
And the scenarios:
a) "test" must be escaped
b) "test" cannot contain characters that need to be escaped
c) "test" must not be escaped
Then, keeping aside jspx/tagx files:
i) For (b) and (c), (1) wins, the criteria being:
* Verbosity
* Need for JSP tag invocation.
ii) For (a), (2) wins because I'm already doing (i).
Ofcourse, to each their own.
-Rahul
> --
> Rick
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Be Careful though: was Re: Struts JSTL & EL
Posted by Rick Reumann <st...@reumann.net>.
Rahul Akolkar wrote the following on 1/19/2006 3:30 PM:
> For such concerns ...
>
> ${fn:escapeXml(test)}
>
> is an option.
>
> <c:out/> is overrated in JSP >= 2.0, IMO.
Just curious why is ${fn:escapeXml(test)} any better than <c:out
value='${test}'/> ?
--
Rick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Be Careful though: was Re: Struts JSTL & EL
Posted by Rahul Akolkar <ra...@gmail.com>.
On 1/19/06, Rick Reumann <st...@reumann.net> wrote:
> Josh McDonald wrote the following on 1/18/2006 5:29 PM:
> > Servlet 2.4 lets you use EL all over the place in JSPs? That rocks me,
> > can someone please send me a link to some good examples of just how
> > out-there you can get?
>
> Just remember to consider using c:out vs just the straight EL ${}...
>
<snip/>
For such concerns ...
${fn:escapeXml(test)}
is an option.
<c:out/> is overrated in JSP >= 2.0, IMO.
The one place it is useful is to ensure well-formedness in jspx files.
jspx/tagx files are revolutionary in concept, and a step in the right
direction, though I doubt many folks use them extensively.
-Rahul
> Craig brought this up a while ago and I wasn't even aware of the
> concerns. For outputting text you should be careful of just using
> ${someVar} vs <c:out value="${someVar}"/> By default c:out will escape
> the characters so that what is inputted for someVal will show up. Just
> using ${} does not escape the characters, so if you aren't careful with
> what you do on the backend, someone possibly could enter in a javascript
> string which will get persisted to the db, and then on a display page if
> you simply display this field using the built in EL support, you'll end
> up with Javascript executing on the page:)
>
> Try it out, do this on your page:
>
> <c:set var="test"
> value="<script>this.location='http://www.espn.com';</script>"/>
> <body>
> stuf
> stuff
> ${test}
> </body>
>
> Then try it with
>
> <c:set var="test"
> value="<script>this.location='http://www.espn.com';</script>"/>
> <body>
> stuf
> stuff
> <c:out value="${test}"/>
> </body>
>
>
> --
> Rick
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Be Careful though: was Re: Struts JSTL & EL
Posted by Craig McClanahan <cr...@apache.org>.
On 1/19/06, Rick Reumann <st...@reumann.net> wrote:
>
> Josh McDonald wrote the following on 1/18/2006 5:29 PM:
> > Servlet 2.4 lets you use EL all over the place in JSPs? That rocks me,
> > can someone please send me a link to some good examples of just how
> > out-there you can get?
>
> Just remember to consider using c:out vs just the straight EL ${}...
This is definitely a valid concern. But using JSP 2.0 lets you use EL
expressions for the attributes of *any* JSP custom tag, not just the tags
that know about them. And this is still quite valuable.
Craig
Craig brought this up a while ago and I wasn't even aware of the
> concerns. For outputting text you should be careful of just using
> ${someVar} vs <c:out value="${someVar}"/> By default c:out will escape
> the characters so that what is inputted for someVal will show up. Just
> using ${} does not escape the characters, so if you aren't careful with
> what you do on the backend, someone possibly could enter in a javascript
> string which will get persisted to the db, and then on a display page if
> you simply display this field using the built in EL support, you'll end
> up with Javascript executing on the page:)
>
> Try it out, do this on your page:
>
> <c:set var="test"
> value="<script>this.location='http://www.espn.com';</script>"/>
> <body>
> stuf
> stuff
> ${test}
> </body>
>
> Then try it with
>
> <c:set var="test"
> value="<script>this.location='http://www.espn.com';</script>"/>
> <body>
> stuf
> stuff
> <c:out value="${test}"/>
> </body>
>
>
> --
> Rick
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>