what is c:out used for in jsp
I have seen something 开发者_JS百科like
<c:out something
</c:out>
what is this used for
It is used to print server-side variables while taking HTML/XML escaping into account. When applying this on user-controlled input (request parameters, headers, cookies, saved data, etc), this will prevent your site from potential XSS attack holes.
If the data-to-be-displayed is in no way controlled by the enduser and you're using JSP 2.0 or newer (web.xml
is declared as Servlet 2.4 or newer and the container supports it), then you can also just use
${bean.property}
instead of
<c:out value="${bean.property}" />
See also:
- XSS prevention in Java/JSP
- How does an XSS attack really work?
This tag is used to output data directly to the page. It is useful if you have a variable you want to display to the user. By default c:out
escapes html characters so that you are protected against an XSS attack.
Another feature is that you can provide a "default" string in the event that your expression is null:
<c:out value="${foo.bar}">Foobar is null!</c:out>
c:out
can be used to print variables AND escapes HTML characters so is safer.
It is also useful for displaying default text when the variable is null.
e.g.
<c:out value="${variable}">variable is null</c:out>
will display "variable is null" if variable is not set.
精彩评论