Women in Technology

Hear us Roar



Article:
  Six Cool New JSP and Servlet Features
Subject:   <c:out/> and escaping
Date:   2004-02-11 21:30:15
From:   pelletk
Thanks for the article - a good synopsis of highlights of the new features, and well-explained to boot.


I'd just like to point out that a bare EL statement such as ${foo} is not quite the equivalent of <c:out value='${foo]'/>


The distinction is that <c:out../> will escape XML characters by default (this can be turned off with escapeXml='false'), whereas ${foo} will leave the contents of foo untouched.


I've recently seen it suggested elsewhere that JSP 2.0 pages should replace all <c:out/> with ${...}. This could have serious side-effects if the content of the variables presented is not considered carefully with respect to escaping.


Full Threads Oldest First

Showing messages 1 through 4 of 4.

  • <c:out/> and escaping
    2004-02-12 10:14:45  bperry [View]

    I will add to your helpful comment:
    Using Tomcat 5.x, include the following code in a JSP:
    <c:set var="myValue" value="a tag </tag>" />
    <c:out value="${myValue}" /></ br>
    ${myValue}


    This will produce the following browser output in the client:

    a tag </tag></ br>
    a tag </tag>


    Meaning that the client browser will output "</tag>" when the c:out element is used (because the "</ >" characters are escaped); however, including the EL statement in template text will cause the tag to be added to the underlying template code.
    • <c:out/> and escaping
      2004-02-12 10:18:37  bperry [View]

      Let me edit that message above because it did not display properly; here's the browser output of the two statements when select "View Source" in the browser:

      a tag </tag></ br>
      a tag </tag>
      • <c:out/> and escaping
        2004-02-12 10:22:17  bperry [View]

        Oh well, that didn't display properly either...The c:out element outputs the character entities and the "EL in template" form outputs the actual tag in this case, which ends up embedded in the underlying HTML.
        • <c:out/> and escaping
          2004-05-22 07:24:55  wanjm [View]

          but when i write the sentence in a jsp file.
          if displays :${myValue} ${myValue} when i use the sentence

          <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>

          but when i use
          <%@ taglib uri="http://java.sun.com/jstl/core" prefix="c" %>
          it displays a tag </tag> ${myValue} on the screen.
          could you tell me the reason.
          i am using tomcat 5.0.16;